I do not like that memo.cash stores your wallet password in cleartext in your local storage. Instead some token should be generated server-side and used instead. This token is then validated on each server call.
This would mean storing passwords in plain-text server side, which is worse. We're following the best practices of other major platforms (Yours.org, Blockchain.info).
Browsers need the PW to decrypt the PRVKEY to sign TXs. It has to be saved locally; memo has to have it; or you type it in every time. If memo has it, it defeats the purpose entirely.
Right, I'm not sure if people are understanding this. Memo's not storing private keys on their server. That's nice b/c if they are hacked, nobody will be able to just take all the BCH.
Other domains can't access the local storage of memo.cash, right? Can desktop apps? I wouldn't put a lot of money in my memo wallet anyway, but I think it should be a safe practice.
Correct, local storage can't be accessed by other domains. It depends on which browser you're using, but I think all major browsers encrypt cookies, local storage, etc on disk.
Looks like I may be wrong about this. Sounds like Google's stance is that if someone has access to your computer, they also have access to your browser.
It seems that other webpages cannot access it, but any local application could. I think Google is right, any local executable could just as well be a keylogger.
I can agree plain text seems crazy, There is no reason they can't do some type of low level encryption.
