At work in a PHP application, we rely on libsodium to erase a password from $_POST. It may sound like a good idea: once the password is not in memory any more, it can't leak. But the question is: is it really erased from memory? That's the question will answer …