The move comes after security researcher Tom Jøran Sønstebyseter Rønning disclosed on May 4th that all credentials stored in **Edge**'s built-in password manager were decrypted on launch and kept in memory, even when not in use. This exposed a potential attack vector for malicious actors with sufficient privileges. ## Proof-of-Concept and Initial Response Rønning also released a proof-of-concept (PoC) tool, available on [GitHub](https://github.com/L1v1ng0ffTh3L4N/EdgeSavedPasswordsDumper), demonstrating how attackers with Administrator privileges could dump passwords from other users' **Edge** processes. Without admin privileges, the PoC allows accessing **Edge** processes launched by the same user. He reported the issue to **Microsoft**, only to be told the behavior was "by design." "**Edge** is the only Chromium‑based browser I've tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory," Rønning stated. ## The Change of Heart Despite initially defending the practice, **Microsoft** has now announced that future versions of **Edge** will no longer load saved passwords into memory on startup. This decision comes even though the reported scenario falls within **Microsoft**'s existing threat model, which excludes attacks where an adversary already has administrative control of a device. "This defense-in-depth change will come to every supported version of **Edge** (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout," said **Microsoft Edge** Security Lead Gareth Evans in a [blog post](https://microsoftedge.github.io/edgevr/posts/Saved-passwords-in-Edge-memory-what-were-changing-and-why/). "With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view. That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction." ## Availability The fix is already live in the **Edge** Canary channel and will be included in the next update for all supported **Edge** releases (build 148 and newer). ## Other Recent Security Enhancements in Edge Last year, **Microsoft** also introduced a new **Edge** security feature to protect users against malicious extensions sideloaded into the web browser and restricted access to **Edge**'s Internet Explorer mode after hackers began leveraging zero-day exploits in the Chakra JavaScript engine to access target devices. <a rel="noopener nofollow" href="https://hubs.li/Q048zztN0"><img alt="article image" src="https://www.bleepstatic.com/c/p/validation-gap.jpg"></a> ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)