Persisting/clearing policy for generated phrases

[philipmw]

Right now, the app displays the last generated phrase indefinitely, but it does not persist it in any local storage.

This means we don't control if/when the phrase disappears from the customer. It depends on the browser. For mobile devices, it depends on memory pressure.

The customer may want us to clear the phrase more aggressively. They can already close the tab/window, but maybe they forgot and hand the device to someone else who can unintentionally see the phrase.

Or the customer may want us to be conservative and persist the phrase until they explicitly clear it. I've had it happen that I generate a phrase, set it as the password on an important system, then forget it-- and it was already gone by then.

I see three possible approaches:

1. Clear phrase after X time (optimize for security).
2. Keep current behavior. Let the browser manage it. (optimize for simplicity).
3. Persist phrase in local storage until explicit customer action. (optimize for data integrity).

I don't have a clear answer.