MICROSOFT says Edge’s plaintext password behaviour is “by design,” according to Microsoft. A security researcher tested major Chromium-based browsers and found Edge loads the entire password vault into plaintext process memory at startup, where it remains for the session, unlike Chrome and others which decrypt credentials only when needed. The article notes that Edge does not use protections like app‑bound encryption in this context.
The researcher demonstrated the issue with a PoC that relies on reading process memory, a capability that requires elevated privileges. The official response from Microsoft is that the behaviour speeds up sign‑in and autofill, and attackers would already need a compromised machine to read RAM, which is regarded as out of scope for this design decision.