Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store a password as securely in Chrome Extension?

Tags:

javascript

security

google-chrome

google-chrome-extension

I'm writing an Chrome extension right now which autofills credentials similar to Chrome's autofill (in which case Chrome's autofill fails).

Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won't the key be locally stored as well effectively making the encryption useless?

Effectively, I want the user's credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.

EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?

like image 908
Charles Packer Avatar asked Feb 28 '14 08:02

Charles Packer

People also ask

Can I put a password on Chrome extension?

Password Protect Chrome with LockPW Extension The LockPW is an extension for Chrome that allows you to set up password and prompts you to enter the password whenever you open the browser. Visit the Chrome Web Store and search for “LockPW” under the extensions.

Does Google Chrome store passwords securely?

Chrome checks your saved passwords and then lets you know if any of them were exposed in a data breach. To check your credentials, Chrome first encrypts your username and password. Then it sends the encrypted credentials to Google for comparison against an encrypted list of known breached data.

How do I force Chrome to save a password?

Open your Chrome browser. In the address bar type in: 'chrome://flags/#enable-password-force-saving', then press “Enter.” Choose “Enabled” from the drop-down menu under the “Force-saving of passwords” option. Navigate to the bottom right of the page and click the blue “Relaunch” button.

1 Answers

This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome's would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It's difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where "properly" means "resistant to a password-recovery utility that anyone can download from the internet."

You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS's keychain.

like image 148
sowbug Avatar answered Oct 05 '22 13:10

sowbug
Sign in to Comment

Related questions

Requiring external js file for mocha testing
Is there a performance difference between i++ and ++i in JavaScript? [closed]
Chrome tab crashing / hanging after brought on foreground being long time on background
How to call javascript function in ZK
Node.js EPIPE error
How to limit Javascript's window.find to a particular DIV?
Accessing Objects inside Array inside JSON object using Javascript
Analyze audio input from microphone Javascript
Javascript: Detecting if text would wrap
WebDriver: Change event not firing
jQuery.ajax() - How to handle timeouts best?
How does minification work and does it affect angular nested objects?
Iframe enter fullscreen mode
jquery assumes element id? normal behaviour? [duplicate]
Measure CPU performance via JS
Android WebView + AJAX local files
Does valueOf always override toString in javascript?
Send byte array in node.js to server
Twitter Bootstrap affix events not firing
What is the use of a synchronous callback function in JavaScript?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!