Password Security: Is Your Browser the Problem?
Password managers are beneficial tools for users looking to safely store and organize their logins. Unfortunately, not all managers are built the same. A recent post on the platform, X, exposed a concern for Microsoft Edge users that left them wondering if their sensitive information is truly secure.
Cybersecurity researcher, Tom Jøran Sønstebyseter Rønning, posted a video on X showing how Microsoft Edge saves passwords in plaintext in the computer’s RAM. Passwords are left exposed throughout your session even when those passwords are not in use. Threat actors can easily obtain all stored passwords if the device is compromised. This vulnerability affects users who save their credentials to the Microsoft Password Manager on the Edge browser.
Microsoft has since affirmed that this concern is actually by design. In a statement, representatives expressed that “browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application.” As for users that are worried about the vulnerability this poses, Microsoft added that “access to browser data as described in the reported scenario would require the device to already be compromised… We recommend users install the latest security updates and antivirus software to help protect against security threats.”
Other Chromium-based browsers – such as Chrome, Opera and Brave – were also tested for similar exposures. Rønning noted “by contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.” Unlike Edge, Chrome loads passwords when the user requests the credentials via password manager or autofill.
It is important to be aware of how your credentials are being stored. Protecting yourself can be as simple as switching your tools or updating software. Users concerned about Microsoft’s design can rely on other password managers such as Nord or LastPass which use a zero-knowledge security model.
If you have any concerns about the security of your business, contact us at info@kazmarek.com to ensure you and your team are staying up to date.