Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mfro 6 hours ago

To be fair, 'loads into memory' and 'stores' are not the same thing.

saghm 6 hours ago | parent [-]

The headline here says "stores in memory", which sounds pretty much identical to me. Can you elaborate on what you consider the difference between "loading" and "storing" into memory?

mfro 6 hours ago | parent [-]

When someone says passwords are ‘stored’, the assumption will always be ‘stored on disk’. ‘stores in memory’ is not an accurate representation because memory is inherently volatile and they are loaded there temporarily. Plaintext on disk is egregious, plaintext in memory is considerably less so.

saghm 2 hours ago | parent | next [-]

> When someone says passwords are ‘stored’, the assumption will always be ‘stored on disk’. ‘stores in memory’ is not an accurate representation

I mean, sure, if you literally ignore the words "in memory", but by that logic you could argue that "Microsoft Edge stores" is misleading because it sounds like it's talking about retail establishments that sell the web browser, which is equally nonsense. I don't find it plausible that you think most people would see "stores in memory" would mean "stores on disk" unless you think that they don't understand the difference between memory and disk, at which point I don't think that they would be here to misread the headline.

jazzyjackson 5 hours ago | parent | prev [-]

especially when the point of a password manager is to stick a plaintext string into a webpage, which then transmits the plain text to a remote server. passwords are just not a very good solution to keeping secrets.

StilesCrisis 4 hours ago | parent [-]

Never enter your password into a website that doesn't use https.

jonathanlydall 4 hours ago | parent [-]

*over any untrustworthy network.

To fair though, there are very few situations where the network is completely trustworthy, like your home network with no one else on it or a VPN direct to an HTTP server.

StilesCrisis 4 hours ago | parent [-]

My understanding was that if you have a valid https session, you are good.

A really really untrustworthy network could MITM your SSL connections and impose itself in front of all of them (Cisco IronPort?) but I think even then your browser will complain unless you've installed a proxy that allows it or a custom root certificate.