Microsoft Edge's Cleartext Password Design: What Australian and New Zealand Boards Should Direct Now

Direct your CIO to disable Edge's built-in password manager across your fleet this week. Then ask how many of your staff have credentials saved there today.

The reason is direct. On 29 April 2026, a penetration tester at Palo Alto Networks Norway's BigBiteOfTech conference demonstrated that Microsoft Edge decrypts every saved password into the browser's process memory the moment it launches, then keeps them in cleartext for the entire session. Sites the user no longer visits. Credentials they have not used in months. All of it sits in plain text in memory until the browser is closed.

Microsoft's response, when notified, was that the behaviour is "by design" and does not meet the bar for servicing. That is the company's official position.

For Australian and New Zealand boards, that resets the question. The control is not coming from Microsoft. The control is your governance.

What was actually found

Researcher Tom Jøran Sønstebyseter Rønning tested every major Chromium-based browser. He found Edge alone exhibits this behaviour. Chrome and Brave decrypt credentials only when needed, and Chrome's Application-Bound Encryption ties decryption keys to an authenticated process so other software on the same machine cannot reuse them. Edge does neither.

The exposure is process memory, not the on-disk vault. The on-disk vault remains encrypted. The username, password and origin URL for every saved site sit in the parent msedge.exe heap, readable to anyone with sufficient privilege on the host. Rønning has published a proof of concept tool on GitHub that demonstrates the extraction in seconds.

The authentication prompt that Edge displays before revealing a saved password is, in Rønning's words, theatrical. The credentials are already in cleartext memory before that prompt fires.

Microsoft's "by design" position

Microsoft's stated position is that an attacker with the privileges required to read Edge's process memory could compromise the host through other means, so the scenario sits outside the browser's threat model. The company's password manager FAQ goes a step further and frames the design as a balance of "performance, usability and security".

A separate researcher reported the same behaviour in 2025 and received the same response. There is no patch on the way. Boards should plan accordingly.

Why this matters in Australia and New Zealand specifically

Edge is the default browser on the managed Windows fleets that run most ANZ enterprises. The risk concentrates in three environments common across the regulated sectors we serve.

Citrix, VDI and Remote Desktop Services hosts. An attacker or insider with administrative privileges on a multi-session host can dump the parent Edge process memory of every signed-in and disconnected user on that box. Rønning describes this scenario plainly as a credential harvest. This is the reference architecture for contractor and remote worker access in most ANZ banks, insurers, aged care providers and government agencies.

Shared workstations. Common in clinical, aged care and shift-based environments where a single device is used by multiple staff across rosters.

Compromised endpoints. Any incident that yields local administrator escalation on a Windows host hands the attacker every credential the user has saved in Edge, including for systems unrelated to the initial compromise.

Managed endpoints. Compromised admin machines could remotely exploit this vulnerability for all devices within the corporate fleet.

Each of these sits squarely inside the obligations boards already have:

• APRA CPS 234 requires regulated entities to maintain information security capability commensurate with the threats facing them. A browser-resident credential vault sitting in cleartext memory undermines the identity controls boards are relying on.
• APRA CPS 230 brings third-party and operational resilience expectations that include how privileged access is managed across shared infrastructure.
• Privacy Act 1988 and the Notifiable Data Breaches scheme: a credential harvest from Edge that leads to unauthorised access to personal information is reportable.
• Essential Eight: Restrict Administrative Privileges and User Application Hardening apply directly. Maturity Level 2 expectations are not consistent with leaving Edge's password manager enabled on shared hosts.
• Strengthened Aged Care Quality Standards, Standard 8: governance of clinical and personal information.
• NZISM: the principle that secrets should reside in memory only for the minimum time necessary is in tension with Edge's behaviour by default.

What boards should direct this month

Seven actions sit within board governance reach. They do not require deep technical specification. They do require a directive.

1. Asset the impact of disabling Edge's built-in password manager (via Group Policy or Microsoft Intune). Without impacting the need for password management, assess the impact of disabling the function. The setting is PasswordManagerEnabled = 0. This is the highest-leverage control and can be enforced inside one change window.
2. Plan a migration to a managed enterprise password manager with on-demand decryption, single sign-on integration and audit logging. Direct that all staff credentials migrate to it within 60 days, with evidenced deletion of all user saved passwords from local devices.
3. Accelerate the move to passkeys and phishing-resistant MFA wherever the application supports them. The strongest answer to a credential harvest is a credential that cannot be harvested.
4. Review third-party vendors that don't support Enterprise single sign on using your chosen identity provider. Lobby those that don't, and mandate that all new vendors do.
5. Restrict and time-bound administrative privileges on Citrix, VDI and Remote Desktop hosts. Just-in-time admin and tiered admin models materially reduce the blast radius of this design choice.
6. Add detection rules for memory access patterns targeting msedge.exe at the SOC. The proof of concept code is public, and the indicators are knowable.
7. Audit which staff currently have credentials saved in Edge. Most organisations cannot answer this question today.

How Insicon Cyber can help

Insicon Cyber works with organisations across Australia and New Zealand on exactly this kind of governance translation. Our Board Cyber Advisory and Managed Security Services practices are working with clients on:

• Group Policy and Microsoft Intune configuration to disable Edge's password manager across managed fleets.
• Credential audit to identify the population of staff with browser-stored passwords today.
• Migration program to a managed enterprise password manager and passkeys, mapped to APRA CPS 234, CPS 230 and Essential Eight obligations.
• SOC detection content tuned for the public proof of concept indicators, delivered through our aSOC.

If you would like a 30 minute briefing on what this means for your environment, contact us and we would be happy to book a convenient time.