[Someone1234]

If it is a process, running in the same user context, with the ability to read/dump arbitrary memory -- As the KeePass database is decrypted it would "store all passwords in memory in plain text" too.

The fix isn't Edge Vs. Chrome. Vs KeePass Vs. Bitwarden, it is "How do I have my passwords exist in a different execution context than [evil process able to read all memory]?"

Android and iOS have an "answer" to this problem. Desktop OSs having all processes running side by side in the user's execution context, do not. It is only as secure as the least secure process running.

[dist-epoch]

Windows already has a secure kernel credential store, they could move the Edge password store there with a bit of effort, minimize the splash damage when you retrieve a single password to send over HTTP from the regular user space.

> Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

> Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them.

https://learn.microsoft.com/en-us/windows/security/identity-...

[jazzyjackson]

Windows 11* and MacOS also do the job as long as you're using hardware bound passkeys.

* I don't want to speak past my own experience so checking my work, Windows can store passkeys in a TPM if available but falls back to storing on disk... https://helgeklein.com/blog/checking-windows-hello-for-busin...

[xaduha]

I was looking for an answer to this when it comes to using Edge password manager in particular, it uses Windows Hello as far as I know and while it does make 'synced' passkeys they don't seem to be usable anywhere than the original machine. Useful when reinstalling Windows at least.

https://yourpasskeyisweak.com does not mention Edge.

[WolfeReader]

This makes me miss running Qubes a few years ago, and keeping BitWarden in a separate VM from everything else. I've never felt as secure as when I had that setup.

[johanyc]

Why did you stop?

[WolfeReader]

It was on a work computer, and my next job was a lot less permissive about letting us run our own OS.

My personal computer is too gaming-focused to be a good candidate for Qubes.

[wat10000]

I'm pretty sure macOS is more like iOS in this respect. At the very least, the passwords are typically secured biometrically and only the one being used is actually decrypted at the time of use.