Technology

84569 readers

3904 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

767

Microsoft Edge loads your passwords into memory in plaintext, but Microsoft says not to worry (www.windowscentral.com)

submitted 1 week ago by Itwasntme223@discuss.online to c/technology@lemmy.world

111 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] JackbyDev@programming.dev 22 points 6 days ago (3 children)

This is sort of like saying "I leave my valuables in plain sight by my door because it has a lock on it and door locks are trustworthy." I'm not super into cyber security and stuff but it seems like one of the most common problems is programs managing to get access to memory they shouldn't have access to. It seems to happen all the time! Just like many locks for you door are trash.

[–] quack@lemmy.zip 5 points 5 days ago

Defense in depth is a concept they teach you in cybersecurity 101. But that's expensive and time consuming, so you end up with shit like this.

[–] partofthevoice@lemmy.zip 2 points 5 days ago* (last edited 5 days ago)

It’s ridiculous. It presupposes that cybersecurity doesn’t value or employ defense in depth. Completely untrue.

Look at the attack vector researchers were trying to solve when they created OAuth2.0 w/ PKCE.

[+] jama211@lemmy.world 2 points 5 days ago (2 children)

[deleted]

[–] JackbyDev@programming.dev 4 points 5 days ago* (last edited 5 days ago) (1 children)

Don't overthink the metaphor. These things are fragile and fall apart. The "door with a lock" is the "guarantee" (wink wink) that the operating system won't let programs see memory they shouldn't be allowed to. Putting your valuables in a safe instead of sitting in the floor would be encrypting the passwords in memory in the metaphor.

Also, cyber security and physical security are very different. With cyber security you need to understand that there are orders of magnitude more people looking for simple problems. Like a criminal checking every door in the world automatically, just looking for ones that are unlocked. Someone not being a "target for master criminals" isn't really applicable for this. Besides, that's a critique of what level of security an individual should have, but pointing out the flaw in Edge is a critique of something that claims to be secure that isn't.

[–] mirshafie@europe.pub 2 points 5 days ago (1 children)

I extracted IE6 passwords from hundreds of people when I was 13, for fun. If passwords are now being stored plaintext again, they are going to leak. Some of the people who steal those passwords won't be doing it just for fun.