Edge keeps credentials readable inside the logged-in session
Saved passwords sit inside the running browser process in a form a local user can extract. No extra rights are needed beyond the current session, which is the awkward part. If malware runs under that account, it gets the same access.
The exposure is not limited to passwords entered moments earlier. Credentials can be recovered from memory even when Edge has not been used to log into the site in that session. Biometric prompts and the password manager interface do not change that behaviour, because the leak sits below the front end.
For endpoint privacy, the usual assumption that saved passwords are tucked away behind the browser UI is too generous. If local user access exists, the stored secrets are already closer to plain text than most people would like.
A memory dump turns browser profile storage into a password leak
A browser process dump is enough to expose readable credential records. On Windows, Task Manager can create that dump from the Edge sub-process. Once the dump exists, simple text extraction against the file can surface grouped records that include the site URL, protocol, user ID and password.
The practical detail matters: the data does not need to be decrypted in the traditional sense if it is already sitting in memory in readable form. That makes the attack cheap. It also makes it hard to dismiss as niche, because the user who is already logged in can do it without fighting the operating system.
That is the same pattern malware likes. If code lands in the user context, it can harvest saved passwords on demand and pass them out with very little ceremony. Windows credential exposure does not always arrive through the credential vault; sometimes it comes from the browser process itself, which is a more annoying thing to explain to users who assumed the lock screen was the whole story.
What to lock down on the endpoint before you assume Edge is safe
Treat saved passwords on shared or exposed endpoints as a local secret, not a protected vault. If the machine can be used by another person, or if user-level malware is a realistic risk, do not rely on the browser password manager as the last line of defence.
Set a hard boundary around local user access. A logged-in account can already reach into its own Edge session, so separate accounts, tighter privilege separation and fewer chances for arbitrary code to run under that user matter more than a prettier password prompt. If the endpoint is already dirty, the browser profile is not the place to keep high-value credentials.
For higher-risk machines, stop storing sensitive passwords in the browser at all. Use a dedicated password manager with stronger access controls, and keep the browser for low-risk convenience logins. That is not elegant, but neither is handing a local process a folder full of readable secrets.
