Microsoft Edge decrypts all saved passwords at startup and holds them in memory as cleartext—confirmed by Norwegian researcher Tom Jøran Sønstebyseter Rønning, who reported it and was told this is "by design." On a solo machine with one admin account, this changes almost nothing. On shared PCs, terminal servers, or family computers with multiple profiles, it turns a single compromised admin account into a credential harvest for every logged-in user. Rønning published a proof-of-concept dumper on GitHub to demonstrate. Edge is reportedly the only Chromium-based browser he tested that behaves this way.
The Hidden Variable: Startup Decryption vs. On-Demand Access
Most browsers decrypt credentials only when you visit a matching site. Edge decrypts everything at launch. That distinction matters more than it sounds.
Here's the asymmetry: on-demand decryption limits your exposure window to active browsing sessions. Startup decryption means your entire password vault sits exposed from the moment you log in until you shut down. Rønning's tool exploits this by reading process memory—something any admin-level tool can do on Windows, not some exotic exploit.
The trade-off most people miss: Edge does this for speed. Faster autofill. Smoother sync. You're trading security architecture for milliseconds on login forms. For a solo user with solid endpoint protection, that's arguably fine. For anyone in a shared environment—office hotdesking, library terminals, family PCs with separate accounts but one admin—it collapses the security model.
| Scenario | Risk Level | Why |
|---|---|---|
| Solo PC, single admin, good habits | Low | Attacker needs admin first; if they have that, you're already compromised |
| Shared PC, multiple user accounts | High | One admin account reads all logged-in users' memory |
| Terminal server / RDS environment | Critical | Multiple simultaneous sessions, all decrypted at login |
| Family PC with "admin for everyone" | Moderate-High | Default Windows home setups often give all users admin rights |
The hidden variable: default admin rights. Windows home editions frequently make every user an administrator. You don't need a hacker. A curious teenager with their sibling's account logged in, a coworker on a shared workstation, or a compromised service account on a terminal server—all can access other users' decrypted memory. Other browsers force you to unlock the password manager separately. Edge skips that step.
First-Hour Priorities: What to Do Before Your Next Session
If you're reading this on a shared machine, act now. If you're on a solo rig, you have time to decide deliberately.
Immediate (next 5 minutes):
- Check if your Windows account is Administrator. Settings > Accounts > Your info. If it says "Administrator," consider whether you need that for daily use.
- On shared PCs, log out fully when done. Don't just switch accounts. Decrypted memory persists while your session is active.
Short-term (today):
- Audit where Edge has saved passwords. edge://settings/passwords. Export if you want backup, then consider deletion for high-value accounts.
- Enable Windows Hello or PIN protection if available—though note this doesn't change the startup decryption behavior, it adds a speed bump.
Medium-term (this week):
| Decision | Gain | Lose |
|---|---|---|
| Switch to browser with on-demand decryption (Firefox, Chrome, Brave) | Narrower exposure window, master password option | Edge sync integration, Microsoft ecosystem convenience |
| Move to dedicated password manager (Bitwarden, KeePass, 1Password) | Encryption at rest, separate unlock, cross-browser | Another app to maintain, potential cost |
| Keep Edge, disable password saving, use manager instead | Keep browser, plug the hole | Lose Edge's autofill convenience |
| Keep Edge as-is, solo machine only | Zero friction | Persistent exposure if machine ever shared or compromised |
The mistake that wastes time: assuming "by design" means "secure enough for everyone." Microsoft's design prioritizes their ecosystem's smoothness. Your threat model may differ.
The Next 2-3 Decisions That Shape Your Run
Decision 1: Do you actually share this machine?
Be honest. Family computer counts. Work laptop that IT might remote into counts. Personal laptop that never leaves your apartment? Different calculus. Don't over-engineer for threats you don't face. Don't under-engineer for ones you do.
Decision 2: Password manager architecture.
Browser-integrated (Edge, Chrome, Safari) vs. standalone (Bitwarden, KeePass, 1Password). The standalone options encrypt your vault as a file or database. They decrypt only when you unlock them. They don't hang out in browser process memory all day. Cost: setup friction, sometimes subscription cost. Benefit: portability if you switch browsers, better isolation.
Decision 3: Account privilege on Windows.
If you don't need admin for daily tasks, run as Standard User. Create a separate admin account for installs. This is old advice that most people ignore because it's annoying. It directly limits Rønning's attack path—you can't read other users' process memory without elevation you don't have.
Why This Calculator Exists: The Real-World Decision Problem
Password security calculators and comparison tools exist because the actual risk of any given setup is nearly impossible to eyeball. "Is Edge safe?" depends on four variables most people never articulate: machine sharing, account privileges, password reuse patterns, and what you're actually protecting. A banking password in Edge on a terminal server is a different asset than a Reddit password on a home desktop.
The calculator forces you to state your variables and see output. Without that structure, people default to binary thinking—"Microsoft wouldn't ship something unsafe" or "everything is broken, use Linux." Neither helps you decide by Tuesday.
Conclusion: The One Thing to Do Differently
Stop treating browser choice as a loyalty decision and start treating it as privilege-scoping. Edge's cleartext-at-startup isn't a bug to wait out; it's an architecture choice that optimizes for Microsoft's convenience metrics. If your machine is truly solo, you can accept that trade. The moment sharing enters your threat model—family, office, terminal server, even occasional guest accounts—the math flips hard. The one change: audit your actual sharing and privilege reality before the next time you save a password anywhere.
