惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
The Last Watchdog
The Last Watchdog
T
Tenable Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
V
Vulnerabilities – Threatpost
F
Fortinet All Blogs
Microsoft Security Blog
Microsoft Security Blog
A
Arctic Wolf
云风的 BLOG
云风的 BLOG
Know Your Adversary
Know Your Adversary
P
Palo Alto Networks Blog
GbyAI
GbyAI
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
MyScale Blog
MyScale Blog
B
Blog
Spread Privacy
Spread Privacy
S
Schneier on Security
Project Zero
Project Zero
L
LINUX DO - 热门话题
M
MIT News - Artificial intelligence
F
Full Disclosure
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
Cyberwarzone
Cyberwarzone
AWS News Blog
AWS News Blog
aimingoo的专栏
aimingoo的专栏
博客园 - 三生石上(FineUI控件)
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Tailwind CSS Blog
K
Kaspersky official blog
Recent Announcements
Recent Announcements
NISL@THU
NISL@THU
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
P
Privacy & Cybersecurity Law Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
The Exploit Database - CXSecurity.com
V
Visual Studio Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Webroot Blog
Webroot Blog

The Last Watchdog

News alert: Reflectiz partners with Taboola to host webinar on AI-driven marketing security risks | The Last Watchdog News alert: OpenMatter launches platform to verify AI activity across enterprise systems | The Last Watchdog News alert: SpyCloud report finds phishing surge exposing employee data at Fortune 100 companies | The Last Watchdog News alert: Heimdal study finds executives are more confident than frontline IT teams on AI risk | The Last Watchdog News alert: Aembit secures Copilot Studio agents with identity-based access controls and audit trails | The Last Watchdog News alert: GitGuardian adds endpoint protection as developer laptops become credential troves | The Last Watchdog News alert: Varist announces AI-scale malware detection for healthcare and medical imaging | The Last Watchdog News alert: Cloud security report finds fragmented tools widening the cloud complexity gap - The Last Watchdog News alert: Halo Security recognized for helping MSPs manage customers’ external attack surfaces - The Last Watchdog FIRESIDE CHAT: Deepfakes exploit human emotion, making employee reflex training essential - The Last Watchdog News alert: TVC Analyst Group names 12 vendors to watch ahead of Gartner’s security summit - The Last Watchdog GUEST ESSAY: AI pipelines are shattering network security — most companies haven’t even noticed yet - The Last Watchdog GUEST ESSAY: AI can speed up communication, but it can also weaken human connection - The Last Watchdog News alert: Orchid Security study finds invisible identities now outnumber managed accounts - The Last Watchdog MY TAKE: AI agents force a rethink of enterprise service lines as vendors move up the tech stack - The Last Watchdog FIRESIDE CHAT: Cyber insurers deepen SMB security role as supply chain attacks spread - The Last Watchdog News Alert: Lyrie.ai joins Anthropic verification program, unveils protocol for securing AI agents - The Last Watchdog
LW ROUNDTABLE: Microsoft Edge normalizes credential exposure — security pros push back - The Last Watchdog
2026-05-13 · via The Last Watchdog

By Byron V. Acohido

By design.

Two words that have done an awful lot of heavy lifting in the cybersecurity industry over the years. They tend to surface whenever a vendor wants to wave off a serious finding without fixing it.

Related: The unending password problem

Microsoft just deployed them again. This time in response to a Norwegian researcher who showed that Edge holds every saved password in plaintext memory for the entire browser session — even credentials for sites the user never opens. The disclosure landed just days before World Password Day.

A working demonstration

Tom Jøran Sønstebyseter Rønning is no hobbyist. He leads proactive security at Statnett SF, the Norwegian state grid operator. He disclosed the finding April 29 at Palo Alto Networks Norway’s BIG Bite of Tech conference. On May 4 he posted a video walkthrough on X. He also released a proof-of-concept tool, EdgeSavedPasswordsDumper, on GitHub.

He tested every major Chromium-based browser. Edge was the only one loading the entire vault into plaintext at startup. Chrome decrypts on demand. It also binds those keys to an authenticated browser process through Application-Bound Encryption.

The SANS Internet Storm Center reproduced the behavior in minutes using Windows Task Manager and the Sysinternals strings utility.

By design, by deflection

Microsoft told Rønning during responsible disclosure that the behavior is intentional. A company spokesperson later told Dark Reading that any attacker reading that memory would already need to have compromised the device.

The dispute cuts to a larger question security architects have wrestled with for years: when does convenience become exposure?

That framing also has a familiar ring. Once an attacker is on a shared system — a terminal server, a virtual desktop, a contractor laptop — a single compromise should not cascade across every saved password for every logged-in user.

That is the part security pros are pushing back on. Last Watchdog asked privacy and security experts two questions. What does the Edge stance say about how the industry treats credential exposure — as a design problem or a user-behavior problem? And where should the trust boundary actually sit for credentials in 2026, especially in shared environments?  Their commentary follows.

Uzair Gadit, Founder and CEO, Secure.com

Gadit

The Edge disclosure highlights a larger flaw in how the industry approaches credential security. Organizations have spent years telling users to adopt stronger passwords and password managers, yet those protections lose value if credentials remain exposed in memory for the life of a browser session.

In shared environments such as RDS or Citrix, a single privileged compromise can quickly expand into broad credential exposure across multiple users. The deeper issue is not password hygiene, but how long credentials remain accessible in usable form once authentication occurs. Convenience-driven design choices increasingly collide with how modern attackers operate.

Ted Miracco, CEO, Approov

Miracco

Modern infostealers thrive in the gap between credentials that are encrypted at rest and exposed at runtime. The industry increasingly needs to move toward app-bound, just-in-time access to secrets rather than long-lived plaintext credentials sitting in memory.

Once passwords or tokens are handled in cleartext, they become accessible to any malicious process capable of observing memory or intercepting execution flows. Runtime protections and tighter controls around how credentials are accessed and reused are becoming essential because attackers no longer need to break encryption itself to compromise identity and move laterally through systems.

Morey Haber, Chief Security Advisor, BeyondTrust

Haber

Passwords were never meant to persist as long-lived artifacts sitting in system memory. They were intended to be transient secrets: entered, validated, and discarded. Once credentials remain in cleartext memory, they effectively become exposed assets rather than protected authentication factors.

Threat actors have exploited this reality for years through credential dumping, memory scraping, and post-exploitation tooling. In shared or privileged environments, a single exposed password can become the starting point for lateral movement, ransomware deployment, or broader identity compromise. The larger issue is not user hygiene, but how modern systems handle credentials after authentication occurs.

Craig Lurey, CTO and Co-Founder, Keeper Security

Lurey

The Edge finding exposes a broader weakness in how Windows handles application memory. Browsers and password managers routinely keep sensitive credentials in memory, while other user-mode processes can still access that memory under certain conditions.

Researchers have demonstrated variations of this problem for years. The deeper issue is not simply that passwords appear in plaintext, but that malware running under the same user context may be able to read them without elevated privileges. The result is an environment where a local compromise can quickly turn into credential theft and wider account exposure.

Abhay Kulkarni, CEO and Founder, WideField Security

Kulkarni

Operating systems have improved process-memory protections over the past decade, yet infostealers and malicious browser add-ons still routinely find ways to extract credentials and session data. The larger concern is that keeping passwords or tokens in cleartext memory undermines the principle of least privilege by making sensitive data broadly accessible once a system is compromised.

Attackers increasingly target session tokens because they can bypass MFA protections entirely. Chrome’s move toward stronger password isolation is a useful step, but the same protections should extend to session cookies and authentication tokens that remain exposed in browser memory.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

May 13th, 2026 | My Take | Top Stories