A browser that decrypts your full saved-password vault at launch and leaves it in process memory is not delivering secure convenience. It is widening the blast radius after compromise, and calling that by design does not make it a good design. Last week’s reporting from Malwarebytes, SANS Internet Storm Center, and Dark Reading put a spotlight on a design choice in Microsoft Edge that should make defenders deeply uncomfortable. Researcher Tom Jøran Sønstebyseter Rønning showed that when users save credentials in Edge, the browser loads all of those saved passwords into memory in cleartext when Edge starts, including credentials for sites the user never visits during that session. He later published a proof of concept to demonstrate the issue more directly. That point matters because this is not just an argument about how passwords are stored on disk. Microsoft’s own documentation says Edge encrypts saved passwords at rest using AES and OS-backed protection, and it also says the simple…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.