Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
busterarm 6 hours ago

For anyone that thinks this is an Edge-specific dunk, Chrome does not hash your passwords and they are cleartext in memory while Chrome is running (which for most users is always).

Someone1234 6 hours ago | parent | next [-]

Password hashes are one-directional lossy storage. If a password manager "hashed your password" it would be essentially deleting your password and replacing it with something else which cannot be used to log into anything. The password MUST be recoverable to plain-text to replay it to a website.

But you're correct that Chrome, Firefox, Edge, Lastpass, BitWarden, even Keepass have the same issue. It is an Operating System limitation, not a password manager problem.

Sohcahtoa82 4 hours ago | parent | next [-]

I think the catch is whether the passwords are unencrypted in memory constantly, or only during a short period when the password is being used?

busterarm an hour ago | parent | prev [-]

I never said that they should be hashed, just that they aren't. Just subtly pointing out what the tradeoffs are if you choose to use a password manager whose storage/access is basically always available.

At least with Keepass it's locked in an encrypted store and only available exactly when I need it to be. I can take other precautions if I want when I want to access it.

With your browser's password manager you're stuck with the slop you were given.

bobbiechen 6 hours ago | parent | prev [-]

This is generally true of every application that handles sensitive data. Unless you explicitly clear that memory, it's likely to hang around forever.

For example, here is a 2019 writeup from KeePassXC with similar notes: https://keepassxc.org/blog/2019-02-21-memory-security/ - even though they explicitly clear sensitive data, there is still a window of opportunity.

During my time working on confidential computing, we had a variety of demos showing similar attacks against lots of different datastores, scripts, etc. That's just how computers work and your options are very limited if this is part of your threat model (imo just confidential computing and, if you can handle the performance hit, fully-homomorphic encryption).

dist-epoch 4 hours ago | parent [-]

Windows already has a secure kernel credential store, they could move the Edge password store there with a bit of effort, minimize the splash damage when you retrieve a single password to send over HTTP from the regular user space.

> Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

> Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them.

https://learn.microsoft.com/en-us/windows/security/identity-...