Edge Password Manager keeps passwords cleartext at runtime — misaligned with Chromium (CWE-316)

Microsoft Edge is a strong Chromium‑based browser, and its Password Manager is promoted as a secure, integrated solution.

However, its current runtime behavior prevents adoption: saved passwords remain available in cleartext during the entire Edge session, even when they are not actively used.

This differs from the Chromium / Chrome model, where credentials are decrypted only on demand and cleared afterward.

Importantly, the device does not need to be “fully compromised”: a standard user‑mode process, using common Windows APIs and tooling that often bypass traditional antivirus detection, can extract all stored credentials from the running Edge process.

Chromium / Chrome already addresses this by combining DPAPI (user scope), App‑Bound Encryption, and process‑to‑process protections, ensuring passwords are decrypted only on demand and not kept continuously available at runtime.

Request: please align Edge Password Manager runtime behavior with the Chromium model:

• decrypt passwords only when needed
• avoid keeping unused credentials available in cleartext

This would close a significant gap with Chromium and remove an important blocker to real‑world adoption, without impacting user experience.