[Lorkki]

In recent years we've also had browser-exploitable vulnerabilities that allowed reading arbitrary memory as a regular user, but slowly or without full control over the locations. I think wiping credentials as soon as possible after use is a very sensible precaution, even if it's only a moat.

[giancarlostoro]

I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?

[IgorPartola]

I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.

[traderj0e]

Or the computer's memory via Meltdown and Spectre-like attacks

[anthk]

That's why I disable JS by default with UBlock Origin. And OFC never allow JS to acces your clipbaord.

[avereveard]

It's surprisingly hard to do the compiler or cpu may see a write without a read and optimize it away. Windows has a SecureZeroMemory and a few other barrier primitives but not all languages reach to it