Security researcher Tom Jøran Sønstebyseter Rønning has identified that Microsoft Edge loads all stored user credentials into system memory as plaintext upon browser startup. This behavior persists regardless of whether the user interacts with specific password-protected sites during their session. Verification by the tech outlet Heise Online confirms the exposure of sensitive data within the application's memory space.
Current Landscape of Edge Authentication Issues
| Issue Type | Reported Status | Suggested Remediation |
|---|---|---|
| Plaintext Memory Load | Identified/Ongoing | None provided by developer |
| Autofill Failures | Reported Frequent | Review edge://wallet/ or profile sync |
| Primary Password Rejection | Intermittent | Export credentials/Reset profile |
| Sync Sync Conflicts | Reported Frequent | Reset edge://sync-internals |
The architectural decision to keep passwords in an unencrypted state in memory contradicts common expectations regarding "secure" password managers. While Microsoft maintains this functionality is working as intended, it leaves open a window for potential credential scraping by malicious processes with elevated system permissions.
Systemic Fragility and User Friction
Beyond the memory exposure, the browser has faced recurring issues throughout late 2025 and early 2026 regarding its credential infrastructure:
Credential Consolidation: Microsoft has moved away from the legacy Authenticator-based autofill, forcing users into the Microsoft Wallet ecosystem. This transition has been marked by reports of intermittent autofill failures and synchronization errors.
Authentication Deadlocks: Users frequently report Edge rejecting valid primary passwords. In these instances, the provided workarounds are often destructive, requiring users to export data, reset local profiles, or purge sync history entirely to restore basic browser utility.
Conflict with Third-Party Tools: The browser’s native credential manager often creates friction with external password management software, leading to authentication loops where the browser fails to store or recall site credentials properly.
Contextual Observation
The tension between the browser's aggressive pursuit of a centralized wallet-based experience and the technical stability of its credential store suggests a system under strain. The discovery that plaintext passwords occupy active memory at startup—labeled a "serious password problem" by cybersecurity observers—raises questions about the prioritization of speed and convenience over granular, per-session data encryption. Users experiencing sync or login degradation are frequently instructed by official channels to reset deep browser settings, a response that reflects the complexity, and perhaps the volatility, of the current Edge profile management architecture.
Read More: YouTube App Not on Switch 2 at Launch, Coming Later
