Lipani Security LLC

A Security & Privacy Company

Tag: Passwords

Microsoft Edge Loads All Your Passwords Into Memory In Plaintext

Posted on by admin

A Security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup. This makes it easy to scrape passwords via malware, spyware, or a virus.

In 2020, Microsoft moved Edge to Chromium, the same framework that powers browsers such as Chrome, Brave, and Opera. Edge is the only Chromium-based browser that loads all stored passwords into memory in plaintext at startup, so this is not a framework issue.

Cyber security researcher @L1v1ng0ffTh3L4N posted about the vulnerability on X, saying

Edge is the only Chromium‑based browser I’ve tested that behaves this way.

When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” the security researcher claims. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.

After reporting the issue to Microsoft, the security researcher was told that this behaviour was “by design.” A company spokesperson also shared a more detailed statement with Windows Central:

“Safety and security are foundational to Microsoft Edge. Access to browser data, as described in the reported scenario, would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”

So this is a feature, not a very concerning bug, to say the least. Microsoft did this by design. In May 2024, Microsoft said security is its “Top Priority“. If you’re concerned about the security of your saved passwords in Edge, I would recommend moving all of them to a more secure password manager and using a different browser than Microsoft Edge.

Password Management and How Passwords Work

Posted on by admin

Passwords are the lifeblood of the internet I mean everything you do online requires a password. A password is defined as a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource while is to be kept secret from those not allowed access. Before we can go over password management let’s explain how passwords work.

When you join a service, you create a username and password. The username and password are stored in an encrypted format either in a database or file. No two username and passwords are the same hash when they are stored.

When you go to log in again to the service you enter the username and password you created when you signed up for the service. The service again encrypts the username and password, then compares the hash against hashes in the file or database if it matches any of those hashes it knows you are a legit person and lets you into the service.

Passwords on good sites are stored encrypted so no one, not even the tell people can see what passwords stored in the file or database are plus if the company should have a security breach the attacker will not get the database just the database hashes. While this is still bad because someone can use a rainbow table attack to get the password it does take the severity of the attack down from just storing the passwords in cleartext.

A rainbow tables attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database.

But sometimes your password can get compromised without the site ever getting hacked by something called a brute force attack. A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in.

Similar to a brute force attack a dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to use short passwords that are ordinary words or common passwords, or simple variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are easy to protect against by using a passphrase or otherwise choosing a password that is not a simple variant of a word found in any dictionary or listing of commonly used passwords.

The best type of password to pick is one at least eight characters in length, has upper and lowercase letters numbers, and a unique character.

Any additional questions contact us.