Retaining Passwords in Cleartext Form in Memory

I read tonight that Proton Pass retains unencrypted passwords and Usernames in memory and bitwarden was also mentioned as doing the same thing.

Is this true about bitwarden and if so, is it something to worry about?

See article below:

The only mention of Bitwarden is in the article that you linked is an untrue claim made by a representative from Proton, a Bitwarden competitor.

The article says the following about ProtonPass:

To make matters worse, this sensitive data is not wiped from the memory when the vault is locked post-login, making it susceptible to exfiltration by info-stealer malware or attackers with physical access to the target machine.

The above is not true of Bitwarden.

However, while the vault is unlocked, of course the passwords have to exist in unencrypted form in the device memory — how else are you going to use the passwords?

It’s pretty lame that they would do that.

Yeah, that makes sense.


To be fair, this could be misinformation by the author of the RestorePrivacy article. It is not a well-researched piece of writing.