Microsoft Edge loads your passwords into memory in plaintext, but Microsoft says not to worry
https://www.windowscentral.com/microsoft/microsoft-edge-will-load-all-your-passwords-into-memory-in-plaintext-but-microsoft-says-its-not-a-security-concernOpen linkView original on discuss.online774
Comments111
Microsoft SSH agent persistently stores your unencrypted private keys in the registry. They're still there unlocked and usable after you reboot.
https://github.com/PowerShell/Win32-OpenSSH/issues/1487
God, the final comment in that thread makes my blood boil.
That is infuriating. Leaving those keys available to the user means that worms can later use you to compromise additional machines. It turns a local problem into a much bigger one. There's a recursive script out there that automatically scans your ssh files and attempts to access all hosts in your history..name escapes me at the moment.
Right there in the name, it says Secure She'll Hades
does this company intentionally want users to stop using it? cuz day by day either theres a new windows bug or just shittier softwares
Not to worry, the next update will fix it. (And make 12 others things worse. Also it will make your printer stop working. Again.)
as if it ever worked with windows anyway...lol...got it working on linux on the first try
I think it's more than they just don't care. Microsoft cornered the business world decades ago because they've got wot C-levels crave....or something. End users have no say in it.
The AI tells them this is fine, and we are not to question the AI.
trust is multiplicative, not additive
Our lives are in the hands of morons. What the fuck.
Theres an AI for that.
Our lives are in the hands of product managers driving programming decisions.
Oh, sorry. I just realized I repeated what you said.
HOLY @#%^ WHAT IN THE @#%^ DO THEY MEAN "NOT TO WORRY"?????????????????
Well, hold on now, maybe Microsoft has a reasonable explanation for how they actually do secure their passwords...
... Never mind.
Nothing to do with usability since decrypting your passwords one by one is perfectly fine. So they are saying this is about performance ? Holy fuck...
They're just doing what Copilot told them to!
They mean that it won't affect them.
Everytime I read a Microsoft headline these days
"We value user safety and usability, but if you're already compromised you can go fuck yourself"
No, if you are already compromised there is just no way anyone can help you anymore besides wiping your whole system.
True, but there's a big fucking difference between handing over the keys without being asked, and doing basic fucking due diligence and not loading all your passwords in plain text into memory by default.
(@[email protected] ) I can't defend MicroSlop because that mentality is pants on head stupid and is directly in opposition to any statement that they care about security. Because, again, they made their browser behave this way for no real reason besides blowing smoke up our ass. Chromium handles passwords properly, MicroSlop chose to do it insecurely and is hiding behind the dumbest defense. Because their OS has more holes than Swiss cheese and they refuse to plug a basic security hole that they put there intentionally.
Chrome's handling is barely more secure. A compromised device will have a much easier time reading Chrome's encrypted store than scanning your RAM to find passwords.
Remember that if you don't need to input a password to open the store, then anything with access to your device can also read it.
Wether it's encrypted in your RAM or not barely makes any difference in how difficult the task is.
The only solution is: Browsers should require a password. Or even better: Use a dedicated, properly secured password manager.
Regardless, they're still loading them into memory in plain text, and knowing this exists, is going to be an easier task to grab than dealing with the encrypted store chromium uses. At least chromium uses the in built credential api to try to protect the secrets, the fact edge doesn't is an egregious security hole.
I don't disagree that users need to have to enter a password to view their stored passwords, but you're hand waving a massive and intentional decrease in security on Edge's part. No matter how easy it is to get out of another browser, this is a violation of basic secure development practices. Security is only as strong as the weakest link, and edge is determined to not even close one of the easiest links in the chain.
I will disagree on the RAM scanning being easier. It is my opinion that the weakest link here is the password store.
The security hole here is a password management system that can work without external secret. It is shocking that this is still common practice and that people use them.
Yeah, I can't believe I'm defending Microsoft but that's probably what they meant. No browser password saving feature is safe if your device is compromised.
Use a proper encrypted password manager
2026 is gonna be the year I finally move to Linux. I have huge concerns about many aspects of switching, but they're being overtaken by concerns about staying with Windows. I don't even mind if my overall user experience is a bit worse on Linux (I am trying to have reasonable expectations that it won't be the walk in the park Linux advocates on Lemmy like to claim), I just have much more faith in its security, privacy, customisability and - most importantly - the motivations and intentions of its developers.
Best of luck! If you've got questions or problems feel free to DM me (or reply here) and I'll try to help as best I can. I've been using linux since the mid 90s, so I have a decent idea of how it all works :)
If you move to one of the big supported distributions, you'll be extremely surprised how easy it is.
If you just want things to stay consistent and easy, I can't recommend Linux mint enough. I installed it on my son's laptop almost two years ago and he's never needed my help to fix anything since.
The installation walks you through everything, just like Windows, but it'll only take about the third of the time. Everything just works and there's no trash to uninstall or debloat scripts to run when you're done.
If you do any gaming you might want to run Fedora or bazzite (fedora with training wheels), but if you're using KDE for the desktop that's almost as easy and seamless.
Can confirm, Bazzite is ridiculously easy. If you don't want to dual-boot it's easier to install than Windows. I have it on my laptop and all my games run better now.
Except Tropico 6. For some reason that made my entire system go crazy. 😄
Bazzite is so easy to set up it's kind of ridiculous. I ended up jumping to straight Fedora just so I can fiddle with things a little more, but for 99% of users the immutable distro thing is perfectly fine
Just made the move a few months ago. Only headache was a missing headset driver, but Claude was able to one shot one for me that's been stable ever since.
Not looking back. There have been very few things that haven't worked so far. Take the leap!
I switched my mom to Linux because teaching her how to use Linux as her daily driver was easier than trying to unfuck windows on her computer.
Back up your data and then go nuts.
Do not. Use. Mint.
That shit bricked my computer for 3 years as a teen with an unpatched bug that impossible to ever download any file to my PC again, including any potential fixes. Spent months on stackexchange forums. No solution lol
Windows has yet to screw me over that hard. (Yet.)
I'll take things that didn't happen for 500
Around what year was this issue? Both windows and Linux were pretty unstable until - someone correct me on this - 2012? Windows 8 was the last unrecoverable crash I had. Oddly never had an issue with Linux, but I know it happens, I've just been lucky.
You missed out on windows fucking up drivers for some SSDs a few months back. I had a MSI machine for a client that was unrecoverable on 11, and to re-install from scratch.
This is sort of like saying "I leave my valuables in plain sight by my door because it has a lock on it and door locks are trustworthy." I'm not super into cyber security and stuff but it seems like one of the most common problems is programs managing to get access to memory they shouldn't have access to. It seems to happen all the time! Just like many locks for you door are trash.
Defense in depth is a concept they teach you in cybersecurity 101. But that's expensive and time consuming, so you end up with shit like this.
It’s ridiculous. It presupposes that cybersecurity doesn’t value or employ defense in depth. Completely untrue.
Look at the attack vector researchers were trying to solve when they created OAuth2.0 w/ PKCE.
Don't overthink the metaphor. These things are fragile and fall apart. The "door with a lock" is the "guarantee" (wink wink) that the operating system won't let programs see memory they shouldn't be allowed to. Putting your valuables in a safe instead of sitting in the floor would be encrypting the passwords in memory in the metaphor.
Also, cyber security and physical security are very different. With cyber security you need to understand that there are orders of magnitude more people looking for simple problems. Like a criminal checking every door in the world automatically, just looking for ones that are unlocked. Someone not being a "target for master criminals" isn't really applicable for this. Besides, that's a critique of what level of security an individual should have, but pointing out the flaw in Edge is a critique of something that claims to be secure that isn't.
I extracted IE6 passwords from hundreds of people when I was 13, for fun. If passwords are now being stored plaintext again, they are going to leak. Some of the people who steal those passwords won't be doing it just for fun.
"Yeah totally secure! Just trust me!.." basically
This is LITERALLY isn't secure; they should atleast make it encrypted. This is just the same as using your notes app as password manager! But it's microsoft, and they're willingly giving your bitlocker encryption key to the FBIs for your drives. So I'm not surprised..
I feel it may be worse than using your notes app.
A malicious attack doesn't know which notes app, nor the filename.
This has every browser opening the exact same passwords.txt in root.
Yes you can open our safe with just a good yank but if a thief can do that they’re already in your house.
If the thief is already in your house, he can also eat your meal and steal your furniture.
And who in their right mind would break in to a house built by Microsoft?
Defense in depth is a thing. You don't give up just because someone made it through the first layer.
I don’t worry, I just don’t use Edge or Windows or any MS software really (except for Teams at work)
Same here. Boss still thinks he's funny bashing Apple products as a MS fanboy 🙄
Microsoft - So secure we ROT13 encode everything... TWICE!
Ah yes, the good old ROT26 encryption. Some say its unbreakable
Why did I read "Microsoft Edge lords"?
Eh. To be honest it indeed does not matter much. Scanning your RAM for passwords is much harder than simply reading them off the browsers files. Sure, it is encrypted and the key is not necessarily on your computer, but remember that if the software can decrypt your passwords without you inputting a password or similar, then anything with access to your device can as well.
Don't use your browser's password manager.
For real. Like why isn't that a plugin? I feel like security best practices have advised against using the baked-in password manager in the browser for near a decade now, so any browser claiming an interest in security could score a big win by literally just removing that functionality.
Its a disservice that they even exist st all at this point.
Or simply... Make it encrypted with a password. That simple.
And this is why you don't give microslop anything
Nothing in this timeline surprises me any more.
Lucky. I have surprise fatigue lol
I just can't be indifferent to reading news like "US To Start Firing Unspayed and Neutered Dogs Into The Ocean From Florida Coast"
Ha!
They say not to worry because they know nobody uses that dumpster fire of a browser so there's no actual risk of your passwords being leaked since you're not using it anyways.
Corporate has entered the chat.
Unless you're like me and the websites you use for work require it and don't work in literally any other browser (I have tried everything)
Hey. Hey. I got some PS scripts
How will the NSA spy on you if Microsoft doesn't hand them your passwords?
I am not worried, cause I'm not dumb enough to use Edge or Windows for that matter.
phew it’s an expected feature, thank goodness!!!
if they patch this, they should be dragged through the town square after that comment
It's an expected feature for me too, in that I expect Microsoft to be fucking useless at everything lol
You guys are using edge?
Edge is on my computer, and I can't delete it, at least not with my limited IT experience. It's buried deep in the operating system, and it opens up seemingly randomly, I use firefox.
Looking online about getting rid of it, others described it as cancer.
It's not that hard, all you need is usb drive and choosing a distro (the hard step)
Not sure how it works in Win11 but historically it has not been possible to remove Internet Explorer or Edge from Windows.
That is an anti-competitive practice and illegal in truth. Against the laws of the United states, the ones that aren't enforced anymore.
I have refused the upgrade and I'm still on Windows 10 which also sucks by the way. The old 2013 ish operating system, I think windows 7, had a task manager that could actually help manage your computer even if you don't know everything about a computer.
And so much more, everything is going to shit especially in electronics. We seriously need just a complete set of Open Source or otherwise trustworthy alternatives.
Or a way to wipe the programming off of products we buy and install our own programming, but they would make that illegal if that caught on.
Agreed.
I assume you have some good reason for running Win10 on your PC but just in case you do need to hear it, you can try Linux live from a USB drive and see if it works for you.
The solution is to use Linux Mint.
I'm afraid as I am on my backup computer, and I worry that if I try to change over I will not do it correctly as has been the case every single time I've tried to download a program to accept zip files, or torrents I don't know what my deal is.
I really do want to switch over, I am working on fixing my better computer. More than anything I want a graphene OS phone.
Good that you want to switch, take your time, don't be afraid. There are many resources online for how to switch without accidentally deleting or losing access to things. I have been using Linux Mint for over a year now switching from Windows 10 and I haven't run into any limitations or issues. It's been a great learning experience and has overall lead to me being more technologically savvy. If you have any questions there are many places to discuss, feel free to ask.
This is why gamers should reject kernel anti cheats. A single dev at a single company that requires one could read them as easily as any other file. I'm not exaggerating, unless I'm misinformed
Just use a separate boot for games
One that is not Windows, yes
I think instead I will choose to both A) not install a rootkit on my desktop B) avoid an OS that handles passwords in plaintext
Wow, that's bad.
M365 chat also fetches a copy of whatever secured file links you send to each other. Goes without saying, but never use Microsoft products if you value security.
Trust me bro
Btw, don't ever copy&paste from your password manager, if that's a problem. That's what memory protection mechanisms in hardware and software are for.
The problem is, the weird way it is implemented in Edge and how MS handles the issue.
Maybe, but at least with my password manager, they'd only get passwords as I use them and not the keys to the kingdom when I open it.
"Handles the issue" is a weird way to say they don't give a shit about protecting your passwords. They had to change this behavior, because chromium doesn't do this by default, so it's not really even negligence in Microsoft at that point. They chose to do this.
What is even the point of the DPAPI?
DPAPI no black, he's Dominican.
If you consider Haitians black, so are Dominicans.
Source: am Dominican.
Fuck Microslop Fuck windows 11
I haven't used a Microsoft browser or operating syatem in almost 25 years.
True, and I've met many of both groups. Vegans are usually pretty chill.
aside from when i was working in IT, same. My personal devices are linux or macos.
How can a company manage to be so bafflingly incompetent and why are there people out there still standing for it.
don't worry bb
Moms insists on pen an paper! Omg!
.... They are so bad
If you don’t have anything to hide, what’s the worry?
also in this case the thing ur hiding is ur freaking passwords
It’s the height of narcissism to believe that everyone wants to get your passwords.
You doing alright over there, chief? Your profile text reads like somebody who really needs a wellness check.
You're right. Reads kinda like a page from Se7en.
That profile is almost certainly AI based on the language patterns
AI is more coherent.
People fill those out? lol