Following huge user backlash Microsoft is updating Edge to stop loading saved passwords in cleartext into memory when the browser starts. Security researcher revealed that Edge decrypted every saved credential at startup and kept them resident in plaintext in the browser’s process memory for the entire session, even if those passwords were never used. Microsoft initially called the behavior “by design” and within the browser’s threat model, noting it required an attacker to already have administrative access and run malicious code locally. In response to customer backlash, the company is making a defense-in-depth improvement under its Secure Future Initiative. Saved passwords will no longer load into memory at startup and will instead be decrypted only on demand when needed. The fix is live in the Edge Canary channel and is prioritized for rollout to all supported versions beginning with builds 148 and newer.