Microsoft Edge stores all passwords in memory in clear text, even when unused

Original Article ↗ Hacker News Discussion ↗

What Edge Is Doing

  • Edge keeps all saved passwords in process memory in clear text, including ones not used in the current session.
  • Concern: this could expose the entire password database if process memory is read or dumped; passwords may also end up in swap.

How Serious Is This? Threat Models

  • One camp: if an attacker can read arbitrary process memory or has local/admin access, the system is already “game over”; this is just another way to exfiltrate secrets.
  • Counter‑camp: security is layered. Making exfiltration harder still matters, especially against partial exploits (memory disclosure bugs, browser sandbox escapes, physical access while machine is unlocked).
  • Example threat: someone briefly using an unlocked machine could dump all passwords without triggering UI prompts.

Comparisons to Other Browsers and Managers

  • Several comments: this is not unique to Edge. Chrome, Firefox, and many password managers must hold plaintext passwords in memory at some point.
  • Distinction drawn between:
    • Plaintext in long‑lived memory “even when unused”, vs.
    • Decrypting on demand and aggressively zeroing after use.
  • Chrome’s published threat model explicitly excludes fully‑compromised local users; Edge is assumed to inherit much of Chromium’s behavior.

OS‑Level Isolation and Technical Nuances

  • Some argue desktop OS process isolation is fundamentally weak: a same‑user malicious process can often read or tamper with others.
  • Others note techniques like guard pages, PAGE_NOACCESS, secure enclaves, TPM, Credential Guard, and separate “vault” processes as meaningful defense‑in‑depth.
  • There is discussion on how hard it is to truly clear sensitive memory; compilers/CPUs can optimize wipes away without special APIs.

Passwords vs. Passkeys and Managers

  • Multiple comments advocate dedicated password managers (KeePass, Bitwarden, etc.) over browser storage, mainly for portability and control—not because they fully solve in‑memory exposure.
  • Strong support for passkeys and FIDO2/YubiKey‑style hardware as a better model, but many report serious usability and account‑recovery issues, especially when devices are lost or stolen.

Meta: Security Culture

  • Some see this disclosure as over‑hyped “rage bait”; others view it as a legitimate critique of poor memory‑handling practices in a modern browser.