undefined | Better HN

0 pointsstaticassertion4y ago0 comments

There's nothing wrong with storing passwords in plaintext on the machine.

0 comments

3 comments · 1 top-level

drdec4y ago· 2 in thread

One vulnerability in your browser allowing file system access and now all your passwords are known to the hacker.

You run the wrong executable and there go all your passwords again, being uploaded to who knows where. But you 100% trust the authors of all the software you run and you know they would never be vulnerable to a sole chain attack a la SolarWind.

Don't keep passwords you can't afford to be public in plain text in a predictable location on the file system.

staticassertionOP4y ago

In every single case you've described the attacker can:

a) Already ready your passwords from memory/ webpages/ any other of the million ways

b) Access your cookies and session tokens

If the attacker is in a position to read the plaintext file off of the disk it really won't matter if it's encrypted. You're welcome to do so, I'm sure there are extremely niche scenarios where it may help, but it's not really worth mentioning imo.

drdec4y ago

Not all of your passwords will be in memory. I don't know how you read a password from "webpages".

Session tokens do not exist for websites you are not currently accessing. The password file will contain all the saved passwords, whether you are logged in or not.

2 more replies

j / k navigate · click thread line to collapse