If saved passwords can be stolen, valid access becomes real risk
Adam Febery
Security Operations Technical Lead
Published: 21 May 2026
When attackers gain valid access, it’s what happens next that defines the risk. How easily can they move through the environment, avoid detection and turn identity into their route to deeper compromise? And what measures can you take to stop them in their tracks?
You may have seen a recent story about Microsoft Edge and the way in which it stores and surfaces saved passwords* during a browser session. Microsoft has described this as a design decision, pointing to the long standing balance between usability, performance and security.
It’s a familiar trade-off. Every digital service has to make access quick enough for users to work productively, while limiting the opportunities attackers have to exploit it.
But beyond the headline, the story points to another pressing issue for organisations. Security incidents are not defined only by the initial compromise, but by what happens next.
Once an attacker gains access to a device, session or credential, they can use valid access and legitimate behaviour to move in ways that look normal.
That’s often where the real risk lies, and why we believe modern security design has to start with identity.
Why credentials still offer the keys to the kingdom
Credentials remain one of the most valuable assets an attacker can obtain. In most enterprise environments, saved passwords, browser sessions, tokens and accounts are not isolated pieces of data. They are routes into systems, cloud services, internal applications, third-party platforms and shared resources.
If an attacker can extract or misuse those credentials from a compromised device, they may be able to move laterally using access that appears legitimate. To many systems, a valid username and passwords still looks like a valid user.
In practise, that could mean:
- Moving between cloud services without triggering obvious perimeter alerts
- Escalating access where privileges are excessive or poorly governed
- Using compromised accounts to target colleagues, suppliers or customers
- Extending dwell time because the activity resembles normal user behaviour
This is a central challenge for security teams and re-centres the focus on how quickly you can detect, respond and contain a compromise once it has happened.
Security has always been a balance
Now, as the The Edge story reminds us, security design is often about trade-offs.
Users expect authentication to be seamless. They expect browser, apps and cloud services to remember them, move quickly and reduce friction. Organisations want the same thing, because excessive friction creates its own risks:
- Workarounds
- Insecure password storage
- Support pressure
- Poor adaption
But convenience creates exposure if it is not paired with the right controls.
That is where modern identity security becomes essential. Strong identity strategy means applying the right level of scrutiny at the right time based on risk.
A low-risk sign-in from a managed device may be allowed to proceed smoothly. A login from an unfamiliar location, risky device, impossible travel pattern or unusual session may require step-up authentication, restricted access or automatic blocking.
This is the practical value of adaptive authentication and conditional access. You are keeping access useable while making it much harder for attackers to operate unnoticed.
Adopting the Zero Trust ‘assume breach’ stance
Zero Trust entails ‘never trust, always verify.’ But in practise, it also means designing security around the assumption that compromise may already have happened.
Get Zero Trust right and the risks look very different:
In other words, Zero Trust does not assume that credentials are always safe because user passed authentication once. It continuously asks whether that access still makes sense.
That matters because attackers move quickly. If identity signals are disconnected from response, suspicious activity may be detected too late or not acted on decisively enough. But when identity, access and security operations are integrated, organisations can shrink the window between compromise, detection and containment.
The takeaways
The reality is that security incidents often unfold through legitimate access.
Attackers don’t always need to break systems in obvious ways. Sometimes they use what the environment already gives them.
That is why we treat identity as the foundation point beneath every layer of your security controls.
The organisations best placed to manged this risk are those who can answer three questions clearly:
- Who has access?
- Should they still have it?
- How quickly are we able to detect and respond to abuse?
If the answer to any of those is unclear, the risk is already there.
Ready to strengthen your identity security?
As a leading Microsoft partner for over 20 years, Kocho helps organisations design and deliver identity security strategies that reduce risk without slowing users down.
Arrange a short call with on of Kocho’s identity experts to find out how we can help.
Microsoft Entra e-Guide
Secure access with Microsoft Entra
Learn how Microsoft Entra enables Zero Trust access using passwordless authentication, Conditional Access, and identity‑driven network controls.
Discover how you can:
- Replace passwords with phishing‑resistant authentication
- Apply Conditional Access to enforce Zero Trust access decisions
- Secure private app access without VPN‑based trust
- Evaluate session risk in real time
- Reduce identity attack surface
Author
Adam Febery
Great managed security resources
Become Greater
Keep one step ahead of the cyber attackers
Sign up to the Kocho newsletter to get exclusive news, the latest threat reports, Microsoft tech updates, and expert analysis from our cybersecurity specialists.
Plus invites to webinars and industry events.