Key is stored in Windows Credentials Manager even when I don't check "remember me" and even after sign out #4085
Description
Describe the bug
According to the documentation, when I don't check "remember me", my credentials are not persisted locally. This is not true - the encryption key IS persisted (it is not my password but still it's the key for my data). Also, even signing out does not remove that key either.
To Reproduce
Steps to reproduce the behavior:
- Sign out of all workspaces
- Check CM entries (reopen it to refresh)
- Delete CM entries
- Sign in again, do not check "remember me"
- Check CM entries (reopen it to refresh)
Expected behavior
CM entries are correctly removed when signing out.
CM entries are never created when "Remember me" is off.
"Remember me" stays off when I log in next time
Email is either prefilled next time OR workspace name is reseted.
Desktop (please complete the following information):
- OS: Windows 11 25H2
- Version 3.201.2
Additional context
As a result, any Steam games I run can potentially read my encryption key, decrypt my notes and send them wherever they want. No keylogger is involved. Also, if I decide to use a different user to prevent other apps accessing the credentials (even though it would force me to remember one more password), the key is still stored on my HDD and can be extracted if Bitlocker is disabled.
Also, the checkbox for "remember me" is always on by default even if I disabled it previous time. Additionally, the workspace name remembers my email but when I try to sign in next time, I have to type my email again (not only password) - why?