I mean having it decoded in memory isn't ideal, but if you're in a position where a malicious person or application has free run to read your system memory then frankly you've got much bigger problems.
(
evil_andy Stick stick stick stick sticky sticky stick stick, Thu 7 May 2026, 12:29,
Reply)
That kind of unwarranted rationale will never generate you ad revenue!
(, Thu 7 May 2026, 13:11, Reply)
that's like finding out the cleaner who comes each day takes your cash and passports out of the safe and leaves them on the coffee table
and saying "well it's only a problem is someone comes into the house"
In fact, it's probably worse than that example, as edge shares it's password manager between devices if you log in to edge, so this could happen on some hotel computer in bratislava. All your passwords, in plaintext, as soon as you login to the browser
(
cumquat may will not be commenting further on the allegations, Thu 7 May 2026, 16:07,
Reply)
If you log into edge in some random computer in Bratislava, you deserve everything that's coming to you.
To borrow your analogy it's like being upset that the cleaner who comes each day takes your cash and passports out of the safe and leaves them on the coffee table, but completely ignoring the guys in balaclavas just letting themselves in and ransacking the rest of your stuff.
(
evil_andy Stick stick stick stick sticky sticky stick stick, Thu 7 May 2026, 17:30,
Reply)
I just use the same password for everything. Totally negates the need for a password manager in the first place.
(, Thu 7 May 2026, 18:19, Reply)
It's... a solution.
(
evil_andy Stick stick stick stick sticky sticky stick stick, Thu 7 May 2026, 18:20,
Reply)
That’s not how software security works
Secure by design is the standard. Decrypt at the point of use, not at startup.
Sure you may have bigger problems, but why add to them?
(
wheresthefish Partly filled with wrong, Fri 8 May 2026, 0:08,
Reply)
this doesn't sound like victim-blaming
(
cumquat may will not be commenting further on the allegations, Fri 8 May 2026, 2:33,
Reply)
The concept of victim-blaming is a load of old wank.
It absolves certain victims from failing to take the necessary precautions required to reasonably reduce their likelihood of suffering the crime in the first place.
If your car gets nicked because you left it running while you popped into a Bradford corner shop, then you absolutely need to shoulder some of the blame.
If your PC gets compromised to the point that somebody has opened a back door and assumed Administrator rights, it's probably because you clicked on something you shouldn't have. Again, insufficient precaution.
(, Sat 9 May 2026, 21:04, Reply)
this does sound like victim-blaming
(
cumquat may will not be commenting further on the allegations, Sun 10 May 2026, 1:01,
Reply)
Because the victim shares part of the blame in many cases.
Unless you're one of those idealistic fuckwits who dreams of a world with absolutely no crime at all and we can leave our doors unlocked while we go on holiday without the fear of being burgled, in which case there wouldn't be any victims of crime in the first place.
(, Sun 10 May 2026, 4:54, Reply)
hmm, so one should take basic precautions, except if you're designing a shitty password manager?
then it's ok because if something happens someone else is to blame
I think I understand, but it's not the most coherent position
(
cumquat may will not be commenting further on the allegations, Sun 10 May 2026, 10:34,
Reply)
Did you miss the bit about needing to already have access to the victim's computer before being able to read from the memory?
Just take the loss and move on.
(, Sun 10 May 2026, 13:02, Reply)
Sorry Huw, here we are talking about responsibility, and you don't even see it at as bad design.
I forget that I'm talking to someone whose opinions far exceed his knowlege
"From a defensive perspective, storing passwords in clear-text memory violates the principles of least privilege, zero trust, and secure application design," Morey Haber, chief security advisor at security provider BeyondTrust, told ZDNET. "It is simply just a bad idea. If a password can be read in memory by a human or malicious process, it is no longer a protected secret. It is already compromised in principle through clear-text storage in an already insecure medium.Hopefully, Microsoft will see this as a security flaw and adopt the same method used in Chrome and other browsers to decrypt passwords only when needed. Until then, I'd advise against using Edge as your password manager."
Haber says that process memory is viewed by modern operating systems as a protected, albeit shared, resource. “Debuggers, crash dumps, memory scrapers, malware, privileged insiders, endpoint agents, and even legitimate administration tools can all interact with memory under the right conditions,” he explains. “If a password exists in clear text within memory, the credential is no longer protected by encryption or hashing. It is simply waiting to be used by something and potentially anything.”
According to Haber, malicious actors understand very well the risk of a stored plaintext password — and sometimes, they understand it better than organizations themselves.
“Some of the most effective post exploitation techniques in cybersecurity rely entirely on memory extraction from credential dumping tools through process crash dumps,” he states. "Once extracted, that password can enable privilege escalation, lateral movement, persistence, and unauthorized remote access across the environment."
Or
"The fact that cleartext passwords exist in memory is one thing - the core issue is that other processes can read this memory without restriction," Craig Lurey, CTO and co-founder of Keeper Security, told ISMG. "Windows does not prevent a non-elevated program from reading the memory of another program running under the same user context. The consequence is that sensitive data kept in memory by applications can be targeted by local malware."
The risk is particularly acute in enterprise environments using shared infrastructure such as Citrix servers, virtual desktop infrastructure and remote desktop systems, where multiple users may operate on the same machine. An attacker with administrative access on a terminal server can read the memory of every user process running on the machine, including sessions that are disconnected. But Chrome handles passwords very differently. It only decrypts a password at the moment it is actually needed, such as during autofill. Chrome also uses a feature called Application-Bound Encryption, which ties the decryption keys to an authenticated Chrome process, making it significantly harder for attackers to pull passwords out of memory.
(
cumquat may will not be commenting further on the allegations, Sun 10 May 2026, 14:23,
Reply)
Sure, but you're not taking into account the exploitation method here. Decrypt at the point of use is no help in a system that's completely compromised as is being discussed. The attacker alreay has admin level access to the memory and therefore the entire system. They already have the decryption keys.
It's just performative security at that point - it's not adding any barriers.
(
evil_andy Stick stick stick stick sticky sticky stick stick, Fri 8 May 2026, 11:23,
Reply)
so, that's the only security vulnerability, ay? someone getting complete admin priveleges?
All those non privileged exploits, rambleed, format string attacks, spectre, meltdown, stack overflows etc don't exist, so a password manager that loads all your passwords in plaintext on launch is fine, not something that even if the system was compromised you would expect it to keep them relatively secure and not serve it up on a platter?
(
cumquat may will not be commenting further on the allegations, Sun 10 May 2026, 1:21,
Reply)