Back at <biginternationalorg> I witnessed a developer deliberately build an xss vuln into a company web application, so that he could plug a JS file in with all of his passwords hardcoded. Bear in mind, this is an org that provides services to both the UK and US military, and if you have access to some stuff you have access to the tools you need to impersonate high-ranking military folks.

I know its like, twenty different passwords, but that's what a goddamn keychain is for! If you don't trust windows keychains, do what I did and run a VM with a Foss keychain installed! Don't build a vuln right into a public facing web app, that's just stupidity.