Microsoft says Edge’s plaintext password behavior is “by design”

A researcher found that Microsoft Edge loads its entire built-in password vault into plaintext process memory at startup (unlike other Chromium-based browsers that decrypt passwords only when needed), and published a proof-of-concept showing that an attacker with local/elevated access can harvest credentials from memory; Microsoft characterized the behavior as "by design." The article warns this design makes post‑compromise credential harvesting easier, notes many infostealers already have such capabilities, and recommends mitigations such as disabling autofill, using MFA, and avoiding storing sensitive data in the browser vault.