All password managers keep data unencrypted in memory. You can’t encrypt the data in memory because then the application cannot use the data while it is running. It’s an universal issue for password managers, and not something that can be fixed.
While you can obfuscate the data, this is really security theater, because it is trivial to reverse engineer the obfuscation. In the future, Proton Pass may also obfuscate, but it doesn’t actually add any security.
If you enable PIN lock, the data is encrypted locally and cleared from memory when the PIN lock is activated. The security benefit of this in the case of a compromised device is likely marginal, as malware on a device would be able to key log the pin and bypass it in that manner. However, PIN lock can be desirable on a shared device (although somebody with access to the shared device could also install a keylogger…).
In the previous version of Proton Pass, after the PIN lock, it can take up to 30 minutes to clear data from memory, while the new version clears it immediately. It was previously immediate, but a code regression set it back to up to 30 minutes, but this has now been fixed. In general, for the reasons previously explained, we would not advise people to rely upon the PIN to secure against malware or shared devices, and that’s why PIN is not enabled by default, as the security benefit is likely marginal.
By the way, to even take advantage of this, somebody would need to have access to the device and the ability to access the device memory, in which case the PIN is not going to be effective because the device is already compromised. Unfortunately protecting against this type of device compromise is beyond the scope of Proton Pass (or any other password manager).
While I agree that the case in question is not really a problem. This comment misses the point. The issue is the code regression happening in the first place and being fixed only after being caught again by 3rd party.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !protonprivacy@lemmy.world
Empowering you to choose a better internet where privacy is the default. Protect yourself online with
Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.
Proton Mail is the world’s largest secure email provider. Swiss, end-to-end encrypted, private, and free.
Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.
Proton Calendar is the world’s first end-to-end encrypted calendar that allows you to keep your life private.
Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It’s open source, publicly audited, and Swiss-based.
Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.
SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.
The most important part is highlighted in bold.
Source:
https://www.reddit.com/r/ProtonPass/comments/16mk5dr/proton_pass_login_data_is_stored_unencrypted_in/k1dxdlc/
While I agree that the case in question is not really a problem. This comment misses the point. The issue is the code regression happening in the first place and being fixed only after being caught again by 3rd party.
*used to
Password managers are an oxymoron. Write it on post it notes like our ancestors have always done.
And hope that you never in your life need to log in from somewhere else than you home, I assume.
That seems like a terrible system
I don’t think that word means what you think it means
Why do you think they’re an oxymoron?
Passwords cannot be managed, they beget anarchy. /s
So you’re saying they’re cats?