Security researchers have discovered that Microsoft Edge loads all saved passwords into memory in plaintext, making them vulnerable to malware or memory-dumping attacks.

Microsoft's response: this is not a security concern.

Security experts disagree. Strongly.

Here's what's happening: When Edge starts up, it loads your entire password vault into system memory in unencrypted plaintext. Any malware with memory access - which is not particularly difficult for modern malware to achieve - can scrape your entire password database in one go.

This isn't theoretical. Memory dumping is a well-established attack vector. Malware doesn't need to brute-force your passwords or exploit complex vulnerabilities. It just needs to read what's already sitting there in memory, completely unprotected.

Microsoft's argument appears to be that if malware has memory access, you're already compromised, so protecting passwords in memory doesn't matter. This is... let's be generous and call it "optimistic."

The security principle at stake is called defense in depth. You don't just have one layer of protection; you have multiple layers so that if one fails, others still provide security. Microsoft is essentially saying "if layer one fails, why bother with layer two?"

Every other major password manager - 1Password, Bitwarden, LastPass - keeps passwords encrypted in memory specifically to mitigate this attack vector. It's considered basic security hygiene.

One Reddit user with security experience noted: "This is like saying you don't need to lock your bedroom door because someone already broke into your house. The whole point is to make the attacker's job harder at every step."

Microsoft has been pushing Edge aggressively, trying to compete with Chrome and convince Windows users to abandon their browser of choice. Edge is actually quite good in many ways - it's fast, has useful features, and integrates well with Windows.

But this password handling is a fundamental security failure. And Microsoft's dismissive response to security researchers raises questions about how seriously they take security concerns when they conflict with convenience or performance goals.

The practical advice for now: if you use Edge's built-in password manager, consider switching to a dedicated password manager like 1Password or Bitwarden. Those tools are specifically designed with security as the primary goal, not an afterthought.

Microsoft has not indicated whether they plan to change this behavior. The company has a pattern of downplaying security issues until they become PR problems. Perhaps this will be one of those times.