Microsoft reiterates that it's totally fine with Edge storing passwords in cleartext, despite security researchers' concerns

Microsoft has doubled down on its stance regarding a significant security vulnerability, insisting that the browser's habit of storing passwords in cleartext is "by design." Despite warnings from cybersecurity researchers about the ease with which these credentials can be intercepted, the tech giant maintains that this functionality is an expected feature intended to balance performance and usability.

The Risk of Edge Storing Passwords in Cleartext

The controversy began when researcher Tom Jøran Sønstebyseter Rønning discovered that Microsoft Edge keeps every saved password in process memory as cleartext from the moment the browser launches. This includes credentials for websites that the user hasn't even opened during the current session.

The implications of this vulnerability are serious, particularly because it allows for a bypass of traditional security layers like Two-Factor Authentication (2FA) if an attacker gains access to a machine. According to reports from the Internet Storm Center, extracting this data does not require advanced hacking skills. An attacker can simply:

• Create a memory dump file of the browser via Task Manager.
• Use a basic "strings" command to search through the dump file for plain-text passwords.
• Retrieve sensitive credentials in mere moments.

Microsoft’s Response to Security Concerns

Microsoft’s official position is that accessing this data requires the device to be already compromised. In recent correspondence, the company stated, "Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised."

The company further explained that their design choices involve a delicate balance between performance, usability, and security. They noted that browsers access password data in memory to facilitate quick and secure sign-ins and recommended that users rely on the latest security updates and antivirus software.

However, security experts argue that these recommendations do not address the core issue. While gaining administrative access sounds difficult, many Windows users operate under a standard account with administrator privileges. This creates several high-risk scenarios:

• Shared Environments: As noted by International Cyber Digest, this behavior allows for "credential harvesting" in shared workspaces.
• Terminal Servers: An attacker with admin rights on a terminal server could potentially read the memory of every logged-on user process.
• Physical Access: Leaving a device unattended in a cafe or office provides a window for an attacker to nab passwords quickly.

While Microsoft maintains that this is an expected feature, it remains a critical reminder for all users to practice strong cybersecurity hygiene and ensure their workstations are locked whenever they step away.