Microsoft just quietly fixed a security practice that had cybersecurity experts raising eyebrows for months. The company's latest Edge browser update finally encrypts passwords stored in RAM - a reversal that comes after Microsoft initially defended storing credentials in plaintext memory as an intentional design choice. The change affects millions of enterprise and consumer users who rely on Edge's built-in password manager, though you'll need to manually update to get the protection.
Microsoft has reversed its stance on a controversial security practice, finally encrypting passwords in Edge browser memory after months of defending the plaintext storage as intentional. The change arrives in the latest Edge update, marking a significant shift in how the company handles credential security for its reported 600 million users.
The issue first surfaced when security researchers discovered that Edge stored user passwords in plaintext within the browser's RAM - meaning anyone with access to system memory, whether through malware or physical device access, could potentially extract login credentials. When confronted, Microsoft initially dismissed concerns, stating the behavior was working as designed and part of how modern browsers handle password management.
But that defense apparently didn't hold up under sustained scrutiny from the security community. The company has now implemented encryption for password data stored in memory, a standard practice used by competing browsers like Chrome and Firefox. The shift suggests Microsoft recognized the plaintext approach created unnecessary risk, particularly for enterprise customers handling sensitive corporate credentials.
The timing is notable. Browser security has become a critical battleground as password managers increasingly serve as the primary defense against credential theft. With cyberattacks targeting stored passwords up 38% over the past year, according to cybersecurity firm data, browsers face mounting pressure to implement defense-in-depth strategies that protect credentials at every stage.
For Edge users, the change means passwords now receive encryption even when temporarily held in active memory during browsing sessions. This matters because sophisticated malware can dump RAM contents to harvest credentials - a technique that's become more common as other attack vectors get harder to exploit. By encrypting password data in memory, Microsoft adds another layer of defense against both malware-based attacks and physical security threats.
The catch? The update won't arrive automatically for all users immediately. Microsoft typically rolls out Edge updates gradually, and some users may need to manually trigger the update through the browser's settings menu to receive the enhanced protection. Enterprise IT administrators managing Edge deployments will need to push the update through their management tools to ensure organization-wide coverage.
This reversal fits a broader pattern of Microsoft adjusting security practices after initial resistance. The company has faced similar criticism over Windows password handling, BitLocker encryption defaults, and cloud security configurations - often implementing changes after security researchers and enterprise customers push back on practices that prioritize convenience over protection.
The password encryption update also comes as Microsoft pushes enterprise customers toward its Authenticator app and passwordless authentication methods. The company has been vocal about moving beyond traditional passwords entirely, positioning passkeys and biometric authentication as the future. But with billions of password-based accounts still in use, securing traditional credential storage remains essential in the transition period.
Browser security experts are calling the change overdue but welcome. The plaintext memory storage represented an unnecessary weak point in Edge's otherwise robust security architecture, particularly given that encrypting RAM-stored passwords has minimal performance impact with modern processors. Other major browsers implemented similar protections years ago, making Microsoft's initial "by design" defense puzzling to security professionals.
For organizations using Edge as their standard browser - a common choice for Windows-centric enterprises - the update should be treated as a priority. While the plaintext memory storage required an attacker to already have some level of system access, closing that gap matters in defense-in-depth strategies designed to limit damage from successful initial compromises.
Microsoft's decision to encrypt Edge passwords in RAM represents a rare security reversal from a company that initially defended the plaintext approach. While the change is technically straightforward - implementing encryption that competitors have used for years - it signals Microsoft is listening to security researchers and enterprise customers concerned about credential protection. For the millions of users relying on Edge's built-in password manager, the update closes a security gap that shouldn't have existed in the first place. But with the update requiring manual installation for many users, the real test will be adoption rates and whether Microsoft pushes the change aggressively enough to protect its entire user base.
