I’m writing an Chrome extension right now which autofills credentials similar to Chrome’s autofill (in which case Chrome’s autofill fails).
Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won’t the key be locally stored as well effectively making the encryption useless?
Effectively, I want the user’s credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.
EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?
Advertisement
Answer
This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome’s would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It’s difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where “properly” means “resistant to a password-recovery utility that anyone can download from the internet.”
You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS’s keychain.