[matthewmacleod]

Maybe I'm not understanding fully how this works, but couldn't any user with administrative access already gain access to this information anyway? It's obviously got to be stored unencrypted in the browser's memory, regardless of how it gets there; I'm not sure what the difference is here.

[jlgaddis]

They could, sure, but this lowers the bar, I think. It's a helluva lot easier to simply fire up a packet capture for a few minutes and grab the credentials from that than to go sifting through all the gigabytes of RAM for the credentials.