Microsoft Edge storing passwords as plain text? Microsoft responds.

Password managers are supposed to make users’ lives easier by remembering their passwords and keeping them secure.

However, a cybersecurity researcher has discovered a rather worrying development regarding Microsoft Edge and the behavior of the web browser’s password manager.

According to researcher Tom Jøran Sønstebyseter Rønning, Microsoft Edge loads every password saved in memory on startup, in plain text.

In a thread onRønning detailed how credentials are decrypted even if a user does not visit a site that uses the password manager during the user session.

This Tweet is currently unavailable. It may be loading or has been deleted.

“If an attacker gains administrative access to a terminal server, he can access the memory of all connected user processes,” writes Rønning.

Edge is Microsoft’s proprietary web browser based on the open source Chromium project, the code base developed and maintained by Google. However, as Rønning shared, this issue involving plain text credentials does not appear in other Chromium-based browsers like Google Chrome.

“Edge is the only Chromium-based browser I’ve tested that behaves this way,” says Rønning. “In contrast, Chrome uses a design that makes it much more difficult for attackers to extract saved passwords by simply reading the process’s memory.”

​​Rønning says he first contacted Microsoft about his findings before publicly disclosing the problem. According to the cybersecurity researcher, Microsoft responded by saying that this behavior in Microsoft Edge was “intentional.”

German technology website Heise Online has reproduced the password glitch. The site also notes that, according to well-established cybersecurity best practices, “passwords should only be decrypted at the time of use and deleted from memory very shortly thereafter.”

Given Microsoft’s alleged response to Rønning, users concerned about this potential issue should consider other password managers.

Mashable has reached out to Microsoft for more information on the recent findings. We will update this article if we receive a response.