this post was submitted on 06 May 2026
766 points (98.7% liked)

Technology

84449 readers
4052 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
766
Microsoft Edge loads your passwords into memory in plaintext, but Microsoft says not to worry (www.windowscentral.com)
submitted 3 days ago by Itwasntme223@discuss.online to c/technology@lemmy.world
118 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] JackbyDev@programming.dev 22 points 2 days ago (3 children)

This is sort of like saying "I leave my valuables in plain sight by my door because it has a lock on it and door locks are trustworthy." I'm not super into cyber security and stuff but it seems like one of the most common problems is programs managing to get access to memory they shouldn't have access to. It seems to happen all the time! Just like many locks for you door are trash.

[–] quack@lemmy.zip 5 points 2 days ago

Defense in depth is a concept they teach you in cybersecurity 101. But that's expensive and time consuming, so you end up with shit like this.

[–] partofthevoice@lemmy.zip 2 points 2 days ago* (last edited 2 days ago)

It’s ridiculous. It presupposes that cybersecurity doesn’t value or employ defense in depth. Completely untrue.

Look at the attack vector researchers were trying to solve when they created OAuth2.0 w/ PKCE.

[–] jama211@lemmy.world 2 points 2 days ago (2 children)

And yet you and most people use a door with a lock instead of something more secure because... in general they do work well for the purpose they're trying to serve. Most criminals aren't master criminals, and master criminals aren't coming after your house.

[–] JackbyDev@programming.dev 4 points 2 days ago* (last edited 2 days ago) (1 children)

Don't overthink the metaphor. These things are fragile and fall apart. The "door with a lock" is the "guarantee" (wink wink) that the operating system won't let programs see memory they shouldn't be allowed to. Putting your valuables in a safe instead of sitting in the floor would be encrypting the passwords in memory in the metaphor.

Also, cyber security and physical security are very different. With cyber security you need to understand that there are orders of magnitude more people looking for simple problems. Like a criminal checking every door in the world automatically, just looking for ones that are unlocked. Someone not being a "target for master criminals" isn't really applicable for this. Besides, that's a critique of what level of security an individual should have, but pointing out the flaw in Edge is a critique of something that claims to be secure that isn't.

[–] mirshafie@europe.pub 2 points 2 days ago (1 children)

I extracted IE6 passwords from hundreds of people when I was 13, for fun. If passwords are now being stored plaintext again, they are going to leak. Some of the people who steal those passwords won't be doing it just for fun.

load more comments (1 replies)
[–] rmrf@lemmy.ml 9 points 2 days ago (3 children)

This is why gamers should reject kernel anti cheats. A single dev at a single company that requires one could read them as easily as any other file. I'm not exaggerating, unless I'm misinformed

load more comments (3 replies)
[–] pwxd@lemmy.zip 21 points 2 days ago (1 children)

"Yeah totally secure! Just trust me!.." basically

This is LITERALLY isn't secure; they should atleast make it encrypted. This is just the same as using your notes app as password manager! But it's microsoft, and they're willingly giving your bitlocker encryption key to the FBIs for your drives. So I'm not surprised..

[–] Rooster326@programming.dev 7 points 2 days ago* (last edited 2 days ago)

I feel it may be worse than using your notes app.

A malicious attack doesn't know which notes app, nor the filename.

This has every browser opening the exact same passwords.txt in root.

[–] GreenBeanMachine@lemmy.world 58 points 3 days ago (1 children)

That's the added trust and security they always boast about

[–] Alberat@lemmy.world 12 points 3 days ago

trust is multiplicative, not additive

[–] baronvonj@piefed.social 175 points 3 days ago (2 children)

Microsoft SSH agent persistently stores your unencrypted private keys in the registry. They're still there unlocked and usable after you reboot.

https://github.com/PowerShell/Win32-OpenSSH/issues/1487

[–] mbp@slrpnk.net 30 points 3 days ago (1 children)

God, the final comment in that thread makes my blood boil.

[–] rbos@lemmy.ca 3 points 2 days ago

That is infuriating. Leaving those keys available to the user means that worms can later use you to compromise additional machines. It turns a local problem into a much bigger one. There's a recursive script out there that automatically scans your ssh files and attempts to access all hosts in your history..name escapes me at the moment.

load more comments (1 replies)
[–] FosterMolasses@leminal.space 44 points 3 days ago

Everytime I read a Microsoft headline these days

[–] afporritt1001@lemmy.today 4 points 2 days ago* (last edited 2 days ago)

Fuck Microslop Fuck windows 11

[–] quantumvoid0@programming.dev 106 points 3 days ago (4 children)

does this company intentionally want users to stop using it? cuz day by day either theres a new windows bug or just shittier softwares

load more comments (4 replies)
[–] SeductiveTortoise@piefed.social 29 points 3 days ago

altr

[–] Passerby6497@lemmy.world 36 points 3 days ago (6 children)

Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats.

"We value user safety and usability, but if you're already compromised you can go fuck yourself"

load more comments (6 replies)
[–] fira@lemmy.today 9 points 2 days ago (1 children)

You guys are using edge?

[–] teyrnon@sh.itjust.works 5 points 2 days ago (3 children)

Edge is on my computer, and I can't delete it, at least not with my limited IT experience. It's buried deep in the operating system, and it opens up seemingly randomly, I use firefox.

Looking online about getting rid of it, others described it as cancer.

[–] Benaaasaaas@group.lt 8 points 2 days ago

It's not that hard, all you need is usb drive and choosing a distro (the hard step)

[–] jaykrown@lemmy.world 4 points 2 days ago (1 children)

The solution is to use Linux Mint.

[–] teyrnon@sh.itjust.works 2 points 2 days ago (1 children)

I'm afraid as I am on my backup computer, and I worry that if I try to change over I will not do it correctly as has been the case every single time I've tried to download a program to accept zip files, or torrents I don't know what my deal is.

I really do want to switch over, I am working on fixing my better computer. More than anything I want a graphene OS phone.

[–] jaykrown@lemmy.world 4 points 2 days ago

Good that you want to switch, take your time, don't be afraid. There are many resources online for how to switch without accidentally deleting or losing access to things. I have been using Linux Mint for over a year now switching from Windows 10 and I haven't run into any limitations or issues. It's been a great learning experience and has overall lead to me being more technologically savvy. If you have any questions there are many places to discuss, feel free to ask.

[–] mirshafie@europe.pub 4 points 2 days ago (3 children)

Not sure how it works in Win11 but historically it has not been possible to remove Internet Explorer or Edge from Windows.

[–] teyrnon@sh.itjust.works 2 points 2 days ago

That is an anti-competitive practice and illegal in truth. Against the laws of the United states, the ones that aren't enforced anymore.

load more comments (2 replies)
[–] boogiebored@lemmy.world 9 points 2 days ago (1 children)

phew it’s an expected feature, thank goodness!!!

if they patch this, they should be dragged through the town square after that comment

[–] CrabAndBroom@lemmy.ml 3 points 2 days ago

It's an expected feature for me too, in that I expect Microsoft to be fucking useless at everything lol

[–] GainGround@kopitalk.net 51 points 3 days ago (2 children)

Our lives are in the hands of morons. What the fuck.

load more comments (2 replies)
[–] 58008@lemmy.world 32 points 3 days ago (12 children)

2026 is gonna be the year I finally move to Linux. I have huge concerns about many aspects of switching, but they're being overtaken by concerns about staying with Windows. I don't even mind if my overall user experience is a bit worse on Linux (I am trying to have reasonable expectations that it won't be the walk in the park Linux advocates on Lemmy like to claim), I just have much more faith in its security, privacy, customisability and - most importantly - the motivations and intentions of its developers.

[–] Bytemeister@lemmy.world 4 points 2 days ago

I switched my mom to Linux because teaching her how to use Linux as her daily driver was easier than trying to unfuck windows on her computer.

Back up your data and then go nuts.

[–] BozeKnoflook@lemmy.world 18 points 3 days ago

Best of luck! If you've got questions or problems feel free to DM me (or reply here) and I'll try to help as best I can. I've been using linux since the mid 90s, so I have a decent idea of how it all works :)

load more comments (10 replies)
[–] Reygle@lemmy.world 49 points 3 days ago (2 children)

HOLY @#%^ WHAT IN THE @#%^ DO THEY MEAN "NOT TO WORRY"?????????????????

[–] XLE@piefed.social 32 points 3 days ago (1 children)

Well, hold on now, maybe Microsoft has a reasonable explanation for how they actually do secure their passwords...

This is an expected feature of the application.

... Never mind.

[–] JohnAnthony@lemmy.dbzer0.com 12 points 3 days ago (1 children)

Design choices in this area involve balancing performance, usability, and security

Nothing to do with usability since decrypting your passwords one by one is perfectly fine. So they are saying this is about performance ? Holy fuck...

load more comments (1 replies)
load more comments (1 replies)
[–] BaraCoded@literature.cafe 10 points 2 days ago

How will the NSA spy on you if Microsoft doesn't hand them your passwords?

[–] azvasKvklenko@sh.itjust.works 19 points 3 days ago (1 children)

I don’t worry, I just don’t use Edge or Windows or any MS software really (except for Teams at work)

load more comments (1 replies)
[–] weaponG@lemmy.world 14 points 3 days ago (2 children)

Nothing in this timeline surprises me any more.

load more comments (2 replies)
[–] zerofk@lemmy.zip 20 points 3 days ago (3 children)

Access to browser data as described in the reported scenario would require the device to already be compromised.

Yes you can open our safe with just a good yank but if a thief can do that they’re already in your house.

load more comments (3 replies)
[–] Blackdoomax@sh.itjust.works 7 points 2 days ago

Trust me bro

load more comments
view more: next ›