MICROSOFT says it is changing Edge’s plaintext password handling as a defence‑in‑depth measure. Previously Edge decrypted the entire saved‑password store on startup and kept credentials in memory in clear text for the whole browser session. It had been described as by design, but the behaviour is now being changed and is already present in Canary, with rollout prioritised across all channels.
The change is supported by researchers who noted Edge was the only Chromium‑based browser tested with this approach, unlike Chrome which uses a design that makes it harder to harvest passwords from memory.
According to Microsoft, Going forward, Edge will no longer load all saved passwords into memory at browser startup; instead, passwords will be decrypted only when needed for autofill or password management operations, and the update will reach build 148 and newer across Stable, Beta, Dev, Canary and Extended Stable. The aim is to make Edge roughly as secure as other Chromium‑based browsers while preserving usability.