By Byron V. Acohido

By design.

Two words that have done an awful lot of heavy lifting in the cybersecurity industry over the years. They tend to surface whenever a vendor wants to wave off a serious finding without fixing it.

Related: The unending password problem

Microsoft just deployed them again. This time in response to a Norwegian researcher who showed that Edge holds every saved password in plaintext memory for the entire browser session — even credentials for sites the user never opens. The disclosure landed just days before World Password Day.

A working demonstration

Tom Jøran Sønstebyseter Rønning is no hobbyist. He leads proactive security at Statnett SF, the Norwegian state grid operator. He disclosed the finding April 29 at Palo Alto Networks Norway’s BIG Bite of Tech conference. On May 4 he posted a video walkthrough on X. He also released a proof-of-concept tool, EdgeSavedPasswordsDumper, on GitHub.

He tested every major Chromium-based browser. Edge was the only one loading the entire vault into plaintext at startup. Chrome decrypts on demand. It also binds those keys to an authenticated browser process through Application-Bound Encryption.

The SANS Internet Storm Center reproduced the behavior in minutes using Windows Task Manager and the Sysinternals strings utility.

By design, by deflection

Microsoft told Rønning during responsible disclosure that the behavior is intentional. A company spokesperson later told Dark Reading that any attacker reading that memory would already need to have compromised the device.

The dispute cuts to a larger question security architects have wrestled with for years: when does convenience become exposure?

That framing also has a familiar ring. Once an attacker is on a shared system — a terminal server, a virtual desktop, a contractor laptop — a single compromise should not cascade across every saved password for every logged-in user.

That is the part security pros are pushing back on. Last Watchdog asked privacy and security experts two questions. What does the Edge stance say about how the industry treats credential exposure — as a design problem or a user-behavior problem? And where should the trust boundary actually sit for credentials in 2026, especially in shared environments?  Their commentary follows.

Uzair Gadit, Founder and CEO, Secure.com

The Edge disclosure highlights a larger flaw in how the industry approaches credential security. Organizations have spent years telling users to adopt stronger passwords and password managers, yet those protections lose value if credentials remain exposed in memory for the life of a browser session.

In shared environments such as RDS or Citrix, a single privileged compromise can quickly expand into broad credential exposure across multiple users. The deeper issue is not password hygiene, but how long credentials remain accessible in usable form once authentication occurs. Convenience-driven design choices increasingly collide with how modern attackers operate.

Ted Miracco, CEO, Approov

Modern infostealers thrive in the gap between credentials that are encrypted at rest and exposed at runtime. The industry increasingly needs to move toward app-bound, just-in-time access to secrets rather than long-lived plaintext credentials sitting in memory.

Once passwords or tokens are handled in cleartext, they become accessible to any malicious process capable of observing memory or intercepting execution flows. Runtime protections and tighter controls around how credentials are accessed and reused are becoming essential because attackers no longer need to break encryption itself to compromise identity and move laterally through systems.

Morey Haber, Chief Security Advisor, BeyondTrust

Passwords were never meant to persist as long-lived artifacts sitting in system memory. They were intended to be transient secrets: entered, validated, and discarded. Once credentials remain in cleartext memory, they effectively become exposed assets rather than protected authentication factors.

Threat actors have exploited this reality for years through credential dumping, memory scraping, and post-exploitation tooling. In shared or privileged environments, a single exposed password can become the starting point for lateral movement, ransomware deployment, or broader identity compromise. The larger issue is not user hygiene, but how modern systems handle credentials after authentication occurs.

Craig Lurey, CTO and Co-Founder, Keeper Security

The Edge finding exposes a broader weakness in how Windows handles application memory. Browsers and password managers routinely keep sensitive credentials in memory, while other user-mode processes can still access that memory under certain conditions.

Researchers have demonstrated variations of this problem for years. The deeper issue is not simply that passwords appear in plaintext, but that malware running under the same user context may be able to read them without elevated privileges. The result is an environment where a local compromise can quickly turn into credential theft and wider account exposure.

Abhay Kulkarni, CEO and Founder, WideField Security

Operating systems have improved process-memory protections over the past decade, yet infostealers and malicious browser add-ons still routinely find ways to extract credentials and session data. The larger concern is that keeping passwords or tokens in cleartext memory undermines the principle of least privilege by making sensitive data broadly accessible once a system is compromised.

Attackers increasingly target session tokens because they can bypass MFA protections entirely. Chrome’s move toward stronger password isolation is a useful step, but the same protections should extend to session cookies and authentication tokens that remain exposed in browser memory.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

May 13th, 2026 | My Take | Top Stories