[Brandon0]

Which, according to his findings with the dumpmon twitter bot, is not uncommon. Obviously you can make the case that YOU would use anti-virus software and YOU wouldn't let malware be installed on your computer, but in the end, you're still using a fairly insecure method to store your important passwords. And really, wouldn't a solution like LastPass be better in every way anyway?

[jarek]

I remember some software explicitly storing your saved passwords in plain text to make the point that storing it "encrypted" is in the end no different.

Short of making you log in to your browser/password manager with a master password every time, how can you possibly store and retrieve passwords without letting other programs running with exact same permissions as you retrieve them?

[kalleboo]

The Mac OS X Keychain[1] acts as a gatekeeper and has fine grained permissions so you can let one application have default access to certain passwords (e.g., web passwords) but not other (IMAP/local file shares), or even to require the app to prompt you each time the app wants access to a password.

Of course, that's assuming all the software is well-behaved. You could have local malware that pops up a fake master password dialog, trick a user into filling it out, pulling the keychain out of the user's Library, then decrypting the whole keychain file manually.

Once there's malware running as the user himself, all bets are off. This is why iOS is probably the most secure OS out there - there's no chance for malware to get on the device.

[1] http://en.wikipedia.org/wiki/Keychain_(Apple)

[mertd]

You may be thinking of Pidgin: https://developer.pidgin.im/wiki/PlainTextPasswords