If Chrome has access to them without user authentication, then so does any attacker who can dump Chrome's RAM.
Please describe how this is possible because this is not how Chrome works. This is only how Edge works.
the IT admin assisting (accessing) your computer absolutely has the ability the compromise your passwords.
Please describe how.
Yes we need malware to make this work, but the reality is the malware in this case has a far larger scope than it would on e.g. Chrome.
As stated by the researcher, anyone with admin rights to a computer can get the credentials of any other logged-on user on that machine. That does not require malware. Where I work IT admins do not have total rights to all systems as their access is compartmentalized. They have rights to certain systems. The server admins do not have rights to my computer and cannot help me with a computer issue. IT support admins do not have rights to the servers but can help me with a computer issue. Also where I work more systems have moved more to the cloud so the browser is increasing the only UI to access systems. Systems like HR, Payroll, etc. are now exposed as the IT support person should not and did not have access to HR. But now they can get access.
If the browser can decrypt it without you entering a password or doing a biometric authentication to a secure enclave, then so can an attacker who controls the browser.
Do you even know how password managers work? All your arguments stem from your flawed understanding of how they work. This is not how they work.
Encrypting the database achieves something useful against an attacker who can read the browser's files, but not against an attacker who can dump the browser's RAM.
Did you even read the summary? Chrome and Firefox only decrypts one password at a time and then deletes the password from memory once used. Only Edge loads the entire database in memory.
hey can dump your password database,
The password database is encrypted. At least it should be.
unless the browser required authentication for every password retrieval.
It would be much safer if the browser requires authentication for each site. Generally most users are not opening new sites every second. A possible threat is the one in the summary.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
The whole point is an attacker dumping the encrypted password database does little as it is encrypted. Chrome and other password manages only decrypts one password at a time. Even if an attacker exposes that password, all the other passwords are safe.
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
To me, the Edge way is just laziness. It is also less efficient by storing every single password.
The best things in life go on sale sooner or later.
