Security researchers have raised concerns about how Microsoft Edge manages saved passwords while the browser is running. Microsoft has confirmed that this behaviour is intentional and operates “by design.”
There is no evidence of an active breach, and Edge is not considered vulnerable when it is closed. However, researchers warn that Edge’s password‑handling approach increases risk during active browser sessions, particularly in enterprise and shared environments.
When Microsoft Edge is opened, it decrypts all saved credentials and loads them into the browser’s process memory for use during that session.
This means passwords are available to Edge for as long as the browser remains open, even if the user does not visit the associated websites. When Edge is closed, those credentials are no longer present in memory.
By comparison, Google Chrome decrypts passwords only when required, such as during autofill, and limits how long they remain in memory, reducing exposure during a running session.
This behaviour matters most in shared or enterprise environments, including:
If an attacker gains administrative access while Edge is open, they may be able to inspect the memory of running user processes. In that scenario, saved passwords could potentially be extracted, including credentials belonging to users whose Edge sessions remain open in the background.
Importantly, this is not a persistent vulnerability. The risk exists only during the period when Edge is actively running.
A publicly released proof‑of‑concept demonstration shows how a compromised administrator account could extract credentials from active Edge sessions on the same system.
For non‑technical users, the key point is this:
Microsoft Edge does not expose your passwords when it is closed. The risk exists only while the browser is open.
A simple way to think about it:
This design works fine for convenience, but it means that if something goes wrong while Edge is running, saved passwords may be easier to access than expected.
The Windows PIN or password prompt used to view saved passwords in Edge protects against casual access, but it does not change how passwords are handled internally during an active session.
For most home users, this represents a situational risk, not an immediate threat, but for work, shared, or remote systems, the risk is more significant.
No, security experts are not advising users to stop using Microsoft Edge.
Instead, the recommendation is to avoid using Edge as a password manager for sensitive credentials, particularly in enterprise environments.
Best practices include:
No. Microsoft Edge is not unsafe, and this is not a flaw that exposes passwords when the browser is closed. However, using Edge as a password manager means your credentials are available in memory whenever the browser is open.
Until this design changes, treating Edge’s built‑in password storage as a convenience feature, rather than a secure vault, is the safer approach.