Microsoft Edge stores all saved passwords in clear text within system memory, even when they're not actively in use, according to a security researcher's findings shared on Hacker News. This critical flaw means passwords remain unencrypted and fully readable in memory at all times, contrary to security best practices.

Storing credentials in unencrypted form exposes users to severe risks. If an attacker gains memory access—through malware, unauthorized processes, or physical intrusion—they can directly extract passwords without decryption keys. Legitimate password managers typically encrypt stored data, rendering it useless without a master password. Edge's implementation effectively removes a key security layer, potentially compromising all saved accounts.

The vulnerability impacts anyone using Edge's password-saving feature, which millions rely on for convenience. Worse, the issue persists for unused passwords, meaning even dormant credentials remain exposed. This deviates from industry standards where browsers only decrypt passwords during active use. Security experts argue this design choice significantly increases the attack surface for credential theft.

Microsoft must urgently address this memory security risk. Until fixed, users should avoid saving passwords in Edge or pair it with a hardware security key. The discovery, initially flagged on Hacker News, highlights the dangers of inadequate memory isolation in widely used browsers. For now, this critical figure—affecting potentially hundreds of millions of users—demands immediate attention.