Microsoft Edge password security is under scrutiny after a researcher claimed the browser stores saved passwords in cleartext, distinguishing it as the only Chromium-based browser tested with this behavior. The allegation contradicts Microsoft’s official documentation, which states that passwords are encrypted on disk using AES encryption with keys stored in operating system storage areas.
Key Takeaways
- A security researcher claims Edge uniquely stores passwords in cleartext among Chromium-based browsers
- Microsoft’s official documentation states passwords use AES encryption with OS-level key storage
- Password Monitor feature checks saved credentials against known breach databases without exposing them to Microsoft
- Malware running as the user account can access decrypted passwords in browser storage
- The encryption system is designed to prevent attackers from accessing plaintext passwords when users aren’t logged in
What Microsoft Edge password security actually does
Microsoft Edge encrypts passwords on disk using a technique called local data encryption, according to the company’s security documentation. The encryption keys are stored in operating system storage areas, and passwords remain encrypted so they can only be accessed when a user is logged on to the operating system. Even if an attacker gains admin rights or offline access to the system, the design is intended to prevent them from obtaining plaintext passwords of users who aren’t currently logged in.
This encryption approach differs fundamentally from simply storing passwords in memory during active use, where some plaintext exposure during runtime is unavoidable. The researcher’s claim specifically targets disk storage behavior, raising questions about whether Edge’s on-disk encryption works as documented or whether there is a gap between Microsoft’s security claims and actual implementation.
Password Monitor and breach detection privacy
Microsoft Edge includes a Password Monitor feature that checks saved passwords against known compromised lists without exposing credentials to the company itself. The system uses homomorphic encryption technology developed by Microsoft Research, along with Oblivious Pseudo-Random Function (OPRF) cryptography to prevent dictionary attacks on the server. When Password Monitor flags a password as compromised, it means that credential appears in third-party data leaks, not that Edge itself leaked the password.
According to Microsoft Research, the feature operates under a strict privacy model: “The underlying technology ensures privacy and security of the user’s passwords, which means that neither Microsoft nor any other party can learn the user’s passwords while they are being monitored”. This separation between breach detection and password exposure is a technical achievement, but it does not address the researcher’s core claim about how passwords are stored on disk in the first place.
How malware and extensions can compromise Edge passwords
Even with encryption in place, malware running with user-level privileges can access decrypted passwords stored in browser storage areas. Malicious browser extensions with page interaction permissions can also access autofilled passwords and modify form fields, creating a secondary risk vector. This means the security of Edge passwords depends not only on the encryption system but also on the overall security of the user’s operating system and the integrity of installed extensions.
The researcher’s claim suggests that Edge may be more vulnerable to these attacks than other Chromium browsers, though the specific technical differences have not been publicly detailed. If Edge’s password storage architecture differs from Chrome, Firefox, or other Chromium variants in a meaningful way, users deserve to understand those differences when choosing which browser to trust with their credentials.
How to verify and manage Edge passwords
Users concerned about their saved passwords can review them directly in Edge by navigating to edge://settings/passwords or selecting Settings > Profiles > Passwords. From there, you can inspect the saved username and password for any affected site. If you suspect a password may be compromised, you can check the Password Monitor feature in Settings > Passwords > Password Monitor to see if any credentials appear in known breach databases.
To strengthen password security in Edge, clear your browsing data periodically by setting the time range to “All time” and selecting Browsing history and Cached images and files, then restarting the browser. If passwords stop working after an Edge update, you can repair the browser through Settings > Apps > Apps and features, select Microsoft Edge, choose Modify, and run the repair function.
Does Microsoft Edge password security differ from Chrome?
The researcher’s claim specifically states that Edge is the only Chromium-based browser tested that exhibits this password storage behavior, implying Chrome and other Chromium variants handle encryption differently. However, the exact technical differences between Edge and Chrome’s password encryption systems have not been publicly detailed in the available reporting. Both browsers use encryption, but the researcher suggests Edge’s implementation may have a unique flaw or design choice that sets it apart.
What should users do right now?
Until Microsoft addresses the researcher’s specific claims with a technical response, users should assume their Edge passwords are at risk if their system is compromised by malware or if they have untrusted extensions installed. This is true for any browser, but the allegation suggests Edge may be worse than alternatives. Consider using a dedicated password manager like Bitwarden, 1Password, or KeePass instead of relying on browser-based password storage. If you do use Edge’s password manager, enable Password Monitor regularly to catch compromised credentials before attackers exploit them. The researcher’s claim deserves a clear, technical response from Microsoft—either confirming the vulnerability and committing to a fix, or providing detailed documentation proving the encryption works as documented.
Edited by the All Things Geek team.
Source: Tom's Guide
