In recent years we've also had browser-exploitable vulnerabilities that allowed reading arbitrary memory as a regular user, but slowly or without full control over the locations. I think wiping credentials as soon as possible after use is a very sensible precaution, even if it's only a moat.

▲

giancarlostoro 2 hours ago | parent | next [-]

I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?

	▲	IgorPartola an hour ago \| parent [-]
		I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.

▲

avereveard 2 hours ago | parent | prev [-]

It's surprisingly hard to do the compiler or cpu may see a write without a read and optimize it away. Windows has a SecureZeroMemory and a few other barrier primitives but not all languages reach to it