[lxgr]

They are writing the passwords to users' disks at least, which by itself is already really bad and easily avoidable.

[UncleMeat]

How is that bad?

If you've got malware on your machine then you are already fucked. Desktops don't tend to have strong process isolation that keeps malware from reading a password in flight anyway.