Microsoft Edge Stops Loading Saved Passwords in Clear Text at Startup
What Happened — Microsoft announced a change to Edge’s password manager: saved credentials will no longer be decrypted and kept in clear‑text memory when the browser starts. The new behavior is already live in the Canary channel and will roll out to Stable, Beta, Dev and Extended Stable builds (≥ 148).
Why It Matters for TPRM —
- Reduces the attack surface for credential‑theft malware that reads process memory.
- Aligns Edge with the security posture of other Chromium browsers, limiting a known “defense‑in‑depth” gap.
- Signals Microsoft’s proactive hardening of a widely‑deployed endpoint product used by many third‑party vendors.
Who Is Affected — Enterprises and SaaS providers that rely on Microsoft Edge for web access and password autofill across all industry sectors.
Recommended Actions —
- Verify that your organization’s Edge deployments are updated to build 148 or later.
- Review internal policies on browser‑based password storage; consider disabling autofill for high‑risk accounts.
- Encourage use of multi‑factor authentication (MFA) and dedicated password managers for privileged credentials.
Technical Notes — The previous design decrypted the entire password vault at launch, exposing all stored secrets in process memory. The new design decrypts on‑demand, only when a credential is needed for autofill or password management. No CVE was issued; the change is a hardening measure rather than a patch for an exploitable bug. Source: Malwarebytes Labs