Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store a password as securely in Chrome Extension?

I'm writing an Chrome extension right now which autofills credentials similar to Chrome's autofill (in which case Chrome's autofill fails).

Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won't the key be locally stored as well effectively making the encryption useless?

Effectively, I want the user's credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.

EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?

like image 908
Charles Packer Avatar asked Feb 28 '14 08:02

Charles Packer


People also ask

Can I put a password on Chrome extension?

Password Protect Chrome with LockPW Extension The LockPW is an extension for Chrome that allows you to set up password and prompts you to enter the password whenever you open the browser. Visit the Chrome Web Store and search for “LockPW” under the extensions.

Does Google Chrome store passwords securely?

Chrome checks your saved passwords and then lets you know if any of them were exposed in a data breach. To check your credentials, Chrome first encrypts your username and password. Then it sends the encrypted credentials to Google for comparison against an encrypted list of known breached data.

How do I force Chrome to save a password?

Open your Chrome browser. In the address bar type in: 'chrome://flags/#enable-password-force-saving', then press “Enter.” Choose “Enabled” from the drop-down menu under the “Force-saving of passwords” option. Navigate to the bottom right of the page and click the blue “Relaunch” button.


1 Answers

This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome's would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It's difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where "properly" means "resistant to a password-recovery utility that anyone can download from the internet."

You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS's keychain.

like image 148
sowbug Avatar answered Oct 05 '22 13:10

sowbug