Holy shit, Microsoft. Whoever made this decision should be fired. Into the Sun.
Post
Replies:
4
Boosts:
2
@kaidenshi all browsers expose your saved passwords in memory. Any obfuscation the browser can undo without input can undone fairly easily.
If it makes you feel any better by the time someone gets that memory access, your system is always thoroughly pwned.
@KF0UNK the difference is that other browsers only expose the one password you request at that moment and only for as long as it takes for you to log in to the service you need it for. Edge decrypts and stores all your passwords in plaintext in memory as soon as it launches and keeps them there until you close the browser. It’s a night and day difference.
Not really.
Edge: The passwords are in memory, an attacker who can dump memory can read them.
Chrome: The passwords are encrypted, but the decryption key is in memory. An attacker who can dump memory can read the decryption key and read them.
Both models are vulnerable to the exact same set of attacker capabilities. From a threat-model perspective, they are not different.
If your threat model is ‘administrators on the system must not see my passwords’ then you have problems that cannot be solved on conventional operating systems on conventional hardware.
@david_chisnall @KF0UNK I'm curious as to how Firefox does it (including forks). Do you have any insight into that? I'd assume it's similar to Chrome's approach but I really have no idea.
