I'm writing an Chrome extension right now which autofills credentials similar to Chrome's autofill (in which case Chrome's autofill fails).
Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won't the key be locally stored as well effectively making the encryption useless?
Effectively, I want the user's credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.
EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?
Password Protect Chrome with LockPW Extension The LockPW is an extension for Chrome that allows you to set up password and prompts you to enter the password whenever you open the browser. Visit the Chrome Web Store and search for “LockPW” under the extensions.
Chrome checks your saved passwords and then lets you know if any of them were exposed in a data breach. To check your credentials, Chrome first encrypts your username and password. Then it sends the encrypted credentials to Google for comparison against an encrypted list of known breached data.
Open your Chrome browser. In the address bar type in: 'chrome://flags/#enable-password-force-saving', then press “Enter.” Choose “Enabled” from the drop-down menu under the “Force-saving of passwords” option. Navigate to the bottom right of the page and click the blue “Relaunch” button.
This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome's would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It's difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where "properly" means "resistant to a password-recovery utility that anyone can download from the internet."
You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS's keychain.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With