May 7, 2026

Security Advisory: Avoid Saving iCrimeFighter Passwords in Microsoft Edge

Author
Annie Brooks
Meet the Team
Security Advisory: Avoid Saving iCrimeFighter Passwords in Microsoft Edge

If you use Microsoft Edge to log in to iCrimeFighter and have allowed Edge to remember your password, please take a few minutes to read this security advisory. On May 4, 2026, the SANS Internet Storm Center (ISC) published a report discussing how saved credentials in Microsoft Edge may be recoverable from browser process memory under certain conditions — raising serious concerns for environments handling sensitive systems and regulated data like criminal justice information (CJI).

Recommended Action

Take these steps now to protect your account:
  • Do not store your iCrimeFighter password in Microsoft Edge
  • Remove any iCrimeFighter passwords previously saved in Edge
  • Reset passwords that were stored in the browser
  • Confirm that MFA is enabled on your account
  • Lock your Windows session whenever you step away from your workstation

Why Your iCrimeFighter Password Needs to Be Long and Complex

iCrimeFighter stores digital evidence including crime scene photos, body-worn camera footage, interview recordings, case files, and investigative documentation. iCrimeFighter is designed and operated to support agencies working under the FBI Criminal Justice Information Services (CJIS) Security Policy, which governs systems that process criminal justice information (CJI).

What the CJIS Policy Requires

CJIS Security Policy Section 5.6 governs how users authenticate before accessing systems containing CJI. Your iCrimeFighter password must:

  • Be at least 20 characters long
  • Not be a dictionary word or proper name
  • Not match your username
  • Not repeat any of your last 10 passwords
  • Be changed immediately if compromise is suspected

The current CJIS Security Policy (v6.0, December 2024) also requires multi-factor authentication (MFA) for all accounts accessing CJI.

Why People Save Passwords in the Browser

A 20-character password is difficult to remember, especially for users working across multiple systems and applications throughout the day. Browser password storage feels convenient, and many users assume credentials are protected by Windows login security or biometrics.

What the SANS Report Discussed About Edge

On May 4, 2026, the SANS Internet Storm Center published a report by security researcher Rob VandenBrink titled "Cleartext Passwords in MS Edge? In 2026?" One important concern highlighted in the report is the risk posed by unattended workstations. If a user leaves their computer unlocked with Edge running, someone with physical access to the machine could potentially extract saved passwords from browser memory using commonly available tools — potentially within minutes.

Importantly, this is not described as a remote internet-based attack. The reported behavior requires local access to the workstation and an active user session. Read the original report: https://isc.sans.edu/diary/32954

Why This Matters for CJIS Password Security

Your iCrimeFighter credentials may provide access to active investigations, digital evidence, sensitive recordings, prosecutorial materials, and audit-tracked user actions. If credentials are exposed through a compromised workstation or unattended session, an unauthorized person could potentially access evidence systems using that account. Browser-based password storage practices may also conflict with how some agencies interpret CJIS password protection requirements and internal security policies.

What You Should Do Now

  1. Remove Saved iCrimeFighter Passwords From Edge: Open Microsoft Edge and navigate to Settings → Passwords. Delete any saved iCrimeFighter credentials.
  2. Reset Your iCrimeFighter Password: If your password was previously stored in Edge, consider resetting it immediately.
  3. Lock Your Computer Whenever You Step Away: Use Windows Key + L to immediately lock your workstation.
  4. Use an Approved Password Manager: Instead of storing passwords in the browser, use a password manager approved by your IT department to store credentials securely.
  5. Confirm That MFA Is Enabled: Multi-factor authentication provides additional protection even if a password becomes compromised.
  6. Report Suspicious Activity Immediately: Contact your supervisor and iCrimeFighter support immediately if you notice unexpected logins or unusual account activity.

A Note to IT Administrators

If your users access iCrimeFighter from Windows machines where Edge is the default browser, a few things are worth checking:

  • Whether Edge password saving is currently enabled, and whether it can be turned off via Group Policy across CJI-connected machines
  • Whether MFA is enforced for all iCrimeFighter accounts at your agency
  • Whether your current CJIS password storage controls account for what has been disclosed in this report

Final Thoughts

Recent security research has raised important questions about how credentials may be exposed on shared or unattended Windows workstations running Microsoft Edge. For organizations handling criminal justice information and digital evidence, reviewing credential storage practices is a reasonable and prudent step.

Need help securing your account? If you need assistance enabling MFA or reviewing account security settings, contact iCrimeFighter support at support@icrimefighter.com. iCrimeFighter is a CJIS-aware Digital Evidence Management System serving law enforcement, prosecutors, courts, and justice agencies across the United States.
AWSAboutBlogPrivacy PolicyCareers
PartnershipFAQsLicense Agreement
System Status
iCrimeFighter: Streamlining Law Enforcement Digital Evidence Management. Secure, Compliant DEMS Solutions.
facebook logoX logoInstagram logoyoutube logolinkedin logo
Available on
Play Store icon by iCrimeFighter: Managing digital evidence seamlessly on mobile.App Store icon by iCrimeFighter: Revolutionizing evidence handling, now in your pocket.