Plaintext RAM in browser password managers: are your controls enough?

TL;DR: Microsoft Edge was confirmed to load saved passwords into plaintext process memory on launch, and the article argues that browser password managers still rely on endpoint trust assumptions that modern infostealers and local compromise routinely break, according to Akeyless. The security problem is not encryption failure but runtime exposure, which makes credential compartmentalisation and just-in-time access the real control question.

NHIMG editorial — based on content published by Akeyless: Microsoft Edge’s plaintext-RAM disclosure and its implications for password managers

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.

Questions worth separating out

Q: How should security teams handle browser-stored passwords for privileged accounts?

A: Security teams should remove privileged and production credentials from browser-stored vaults and place them in dedicated secret management workflows instead.

Q: Why do browser password managers create more risk on shared or managed endpoints?

A: They create more risk because a shared or managed endpoint can expose many users’ decrypted secrets at once if the browser process or its memory is inspected.

Q: How can organisations tell whether secret handling is still too endpoint-dependent?

A: A strong indicator is that a complete usable secret exists in browser memory long enough for malware or local tooling to recover it.

Practitioner guidance

• Inventory browser-stored privileged credentials Identify which admin, production, cloud, and developer accounts are saved in browser-native password managers, then remove them from that storage path first.
• Separate secret storage from the browser process Use dedicated secret handling for sensitive credentials so the decrypted state is not created inside the same process that renders pages and handles user interaction.
• Reduce standing credentials wherever possible Move privileged access toward ephemeral or just-in-time workflows so secrets are available only for a task-scoped interval and then purged.

What's in the full article

Akeyless' full analysis covers the operational detail this post intentionally leaves for the source:

• The exact browser-memory exposure pattern the article attributes to Microsoft Edge and how it differs from ordinary password vault storage.
• The vendor's explanation of just-in-time decryption and distributed secret handling at the implementation level.
• The specific recommended migration path for sensitive credentials away from browser-native password managers.
• The product architecture details behind the credential handling model discussed in the article.

👉 Read Akeyless' analysis of plaintext RAM exposure in browser password managers →

Plaintext RAM in browser password managers: are your controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →