IdeaWell

Project ideas from Hacker News discussions.

Microsoft Edge stores all passwords in memory in clear text, even when unused

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

3 dominant themes| Theme | Summary | Representative quotes |

|------|---------|------------------------| | 1. “Store” ≠ “Load” – semantics matter | Participants stress that “stores in memory” is a misleading phrasing; passwords are loaded temporarily, not persisted, and “stored” conventionally means on‑disk. | “When someone says passwords are ‘stored’, the assumption will always be ‘stored on disk’.”mfro
“> When someone says passwords are ‘stored’, the assumption will always be ‘stored on disk’.”saghm | | 2. In‑memory exposure is unavoidable; only marginal defenses exist | Even with encryption or obfuscation, plaintext passwords must reside in RAM while used, and if an attacker can read process memory they can dump them. Extra layers (guard pages, Credential Guard) help only against limited threat models. | “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.”gruez
“There’s little hope of protecting against a snooper seeing the passwords you actually use, since they have to exist in plaintext at some point.”dvt | | 3. Push toward passkeys/hardware‑based auth; usability trade‑offs | Many see browser‑vendored passkeys as the next step, but they bring forced UI prompts, limited cross‑device portability, and vendor lock‑in concerns. | “One more reason to use hardware‑bound passkeys and not passwords.”jazzyjackson
“I've been avoiding passkeys but more and more websites are trying to push them … it just goes ahead and triggers my browser passkey creation mechanism without my consent.”StilesCrisis |

🚀 Project Ideas

Secure Enclave Password Manager

Summary

  • A local password manager that decrypts secrets only inside an OS‑level confidential‑computing enclave (e.g., Windows Credential Guard, macOS Secure Enclave), exposing plaintext credentials solely to the UI process.
  • Eliminates the “in‑memory plaintext” exposure discussed in the HN thread while keeping the workflow identical to existing managers.

Details

Key Value
Target Audience Security‑focused individuals, privacy‑centric professionals, and enterprises needing zero‑knowledge credential storage.
Core Feature Runtime secret isolation using hardware‑backed enclaves; automatic secret wiping after use.
Tech Stack Electron + C++ enclave API (Windows Credential Guard / macOS Secure Enclave), React UI, Node.js for sync.
Difficulty Medium
Monetization Revenue-ready: $4.99/mo subscription

Notes

  • HN users repeatedly stress that “storing in memory” is fundamentally different from “storing on disk”; this product addresses that by never persisting plaintext outside the enclave.
  • Quote from saghm: “I don’t find it plausible that you think most people would see ‘stores in memory’ would mean ‘stores on disk’…”, showing demand for clearer security semantics.

Passkey Sync Bridge

Summary

  • A cross‑platform passkey synchronization service that lets users adopt passkeys without losing access to existing password‑based accounts, providing seamless migration, recovery, and multi‑device fallback.
  • Tackles the frustration expressed by StilesCrisis and jazzyjackson about forced passkey adoption and device‑dependency headaches.

Details

Key Value
Target Audience General consumers transitioning to passwordless authentication, developers building authentication flows, and enterprises planning passwordless rollout.
Core Feature Unified passkey vault with automatic backup, device‑level recovery keys, and transparent fallback to passwords during migration.
Tech Stack Flutter for UI, Rust backend, decentralized storage via IPFS, end‑to‑end encryption with libsodium.
Difficulty High
Monetization Revenue-ready: $2.99/mo per user (team plans available)

Notes

  • Users like mfro and saghm point out misunderstandings around “stores in memory” that highlight the need for clearer messaging—this service provides education + practical migration tools.
  • Potential for discussion: many HN commenters debate the practicality of passkeys (“Your hardware dies…”), making a bridge that mitigates those concerns highly relevant.

Credential Leak Guardian#Summary

  • A browser extension that continuously monitors saved credentials for exposure through memory‑dump attacks, alerts the user instantly, and offers one‑click secure export to an isolated vault.
  • Directly addresses the “airtight hatch” metaphor and the fear that attackers can dump passwords from any same‑user process.

Details

Key Value
Target Audience Browser users of Edge, Chrome, and Firefox who rely on built‑in password managers but worry about memory‑dump vulnerabilities.
Core Feature Real‑time memory‑access detection, pop‑up alerts, and guided export to a hardened KeePass‑style vault.
Tech Stack WebExtensions API, Electron‑based monitor service, native OS APIs for process memory enumeration (Win32, macOS Mach‑O).
Difficulty Low
Monetization Hobby

Notes

  • Quote from Someone1234: “If an attacker gains administrative access … they can access the memory of all logged‑on user processes.” – users want concrete protection, not just theory.
  • Offers a practical utility for discussion: many commenters debate whether in‑memory exposure is a real threat, and this tool provides an actionable mitigation.

Read Later