How to Check If Your Edge Browser Passwords Are Exposed (and What to Do About It)

Introduction

Recent research by Norwegian security expert Tom Jøran Sønstebyseter Rønning revealed a critical flaw in Microsoft Edge's password manager: saved credentials are stored in plain text in the browser's process memory. This means that anyone with access to your computer—especially on shared or corporate machines—can easily retrieve your passwords. While Microsoft has downplayed the risk, other browsers like Google Chrome use stronger encryption methods (e.g., App-Bound Encryption) to protect passwords in memory. This guide will walk you through how to verify if your Edge passwords are exposed, understand the risks, and take steps to secure your credentials.

How to Check If Your Edge Browser Passwords Are Exposed (and What to Do About It) — Source: www.computerworld.com

What You Need

A Windows PC with Microsoft Edge installed (any recent version).
Administrator access to run diagnostic tools.
The free tool published by Rønning on GitHub: Edge Password Dump (or similar).
Optional: A separate password manager like Bitwarden or 1Password.
Basic familiarity with command-line tools (for using the verification script).

Step-by-Step Guide

Step 1: Understand the Vulnerability

Edge decrypts all saved passwords at startup and keeps them in memory—even if you never visit the corresponding websites. This is by design, according to Microsoft, but it means that any malware or a malicious user with access to the system can read those passwords in plain text. The researcher demonstrated this by creating a simple tool that dumps the browser's process memory. To confirm your exposure, proceed to the next steps.

Step 2: Download and Run the Verification Tool

Visit the GitHub repository for the Edge Password Dump tool: https://github.com/tomronning/edge-password-dump.
Download the executable or Python script (if you have Python installed).
Close all other applications to ensure Edge's memory is not fragmented.
Run the tool as an administrator (right-click -> Run as administrator).
The tool will scan Edge's process memory and output any decrypted passwords to the console or a text file. Review the output—if you see your saved passwords in plain text, you are affected.

Step 3: Assess Your Risk Level

If the tool reveals your passwords, consider your environment:

Personal Computer: Lower risk if only you have physical access, but malware could still steal credentials.
Shared or Corporate PC: High risk—anyone using the same machine can access your saved passwords without special skills.
Managed Devices: IT admins should evaluate whether this flaw violates security policies.

German publication Heise.de replicated the findings, confirming the bug persists even after restarting Edge. Microsoft's official response stated that "access to browser data... would require the device to already be compromised," but security experts like David Shipley of Beauceron Security call this a cop-out, noting that info-stealing malware often achieves persistence first.

Step 4: Mitigate the Issue

Stop using Edge's built-in password manager. Disable it: Go to Settings > Profiles > Passwords and toggle off "Offer to save passwords."
Use a dedicated password manager such as Bitwarden, 1Password, or LastPass. These store credentials in encrypted databases and do not expose them in process memory.
Switch to Google Chrome temporarily if you need a browser-based solution. Chrome uses App-Bound Encryption, which keeps passwords encrypted in memory—though not foolproof, it is far more robust than Edge's approach.
Delete saved passwords from Edge: Navigate to Settings > Profiles > Passwords, click the three dots next to each entry, and select "Remove."

Step 5: Implement Additional Security Measures

Keep your operating system and Edge browser updated to patch known vulnerabilities.
Use anti-malware software that can detect info-stealers (e.g., Windows Defender, Malwarebytes).
Enable multi-factor authentication (MFA) on all important accounts—even if a password is stolen, MFA can block unauthorized access.
For organizations: deploy endpoint detection and response (EDR) tools and restrict admin rights to reduce the impact of credential theft.

Tips and Final Thoughts

Never rely solely on a browser's built-in password manager for sensitive accounts. The convenience comes at a security cost, and as this Edge flaw shows, the trade-off can be dangerous.
Test regularly using the tool from Step 2 to ensure no future Edge update has reintroduced the issue.
Consider using a password manager that supports local encryption (e.g., KeePass) if you prefer not to sync to the cloud.
Remember that no system is 100% secure. Chrome's App-Bound Encryption has been broken before by determined attackers, but the barrier to exploit is significantly higher than with Edge's plain-text exposure.
If you are an IT administrator, consider blocking the use of Edge's password manager via Group Policy and push a corporate-approved manager instead.

By following these steps, you can protect your credentials from being easily harvested—whether from a shared office PC or a malware-infected personal device. The key is to move away from insecure default behaviors and adopt tools designed with security as a priority.