I confirmed this Edge behavior.
-
I confirmed this Edge behavior. It stores passwords in cleartext in its memory in ways Chrome and other browsers do not.
https://isc.sans.edu/diary/rss/32954
-
I confirmed this Edge behavior. It stores passwords in cleartext in its memory in ways Chrome and other browsers do not.
https://isc.sans.edu/diary/rss/32954
@mttaggart Unless you are unlocking your password manager every time you want to use a password, or you have a dongle-assisted password manager, at least in theory there's not much difference between storing passwords in cleartext in memory or storing encrypted passwords with the unlock key in memory.
Admittedly keeping passwords encrypted with the key in memory does make confirmation much harder, and exploitation a teensy bit harder, but an highly skilled attacker with access to your password manager's working memory shouldn't find much difference.
Virtual memory does throw a monkey wrench into this analysis, though. Virtual memory is one reason I am very interested in dongle-assisted password managers.
-
@mttaggart Unless you are unlocking your password manager every time you want to use a password, or you have a dongle-assisted password manager, at least in theory there's not much difference between storing passwords in cleartext in memory or storing encrypted passwords with the unlock key in memory.
Admittedly keeping passwords encrypted with the key in memory does make confirmation much harder, and exploitation a teensy bit harder, but an highly skilled attacker with access to your password manager's working memory shouldn't find much difference.
Virtual memory does throw a monkey wrench into this analysis, though. Virtual memory is one reason I am very interested in dongle-assisted password managers.
@leon_p_smith As I understand it, that's not exactly how Chrome does it anymore though. The keying material is not stored in the same process as the encrypted passwords. The process containing the key is owned by SYSTEM, even for user-launched browsers. Please keep me honest about that if I'm misremembering.
It is a limitation that this requires memory dumping, meaning an admin token. Nevertheless, the ease of capturing browser credentials without locating the key is meaningful for attackers.
-
I confirmed this Edge behavior. It stores passwords in cleartext in its memory in ways Chrome and other browsers do not.
https://isc.sans.edu/diary/rss/32954
@mttaggart well, that’ll be helpful. This is dumb.
-
I confirmed this Edge behavior. It stores passwords in cleartext in its memory in ways Chrome and other browsers do not.
https://isc.sans.edu/diary/rss/32954
@mttaggart 1995 called, it wants its cleartext browser password file back. I thought edge was based on Chrome? Obviously with the secure bits taken out....sheesh.
-
@mttaggart 1995 called, it wants its cleartext browser password file back. I thought edge was based on Chrome? Obviously with the secure bits taken out....sheesh.
@InfosecStuC It's a dump of the memory of the browser process, not a password vault.
-
I confirmed this Edge behavior. It stores passwords in cleartext in its memory in ways Chrome and other browsers do not.
https://isc.sans.edu/diary/rss/32954
A good reason to not submit crash reports.
