Google Chrome and master passwords

Posted May 20, 2010 17:33 UTC (Thu) by riddochc (guest, #43)
Parent article: Google Chrome and master passwords

I recently discovered a useful and clever way of dealing with passwords in the web browser... I don't recall if I learned this from LWN, so apologies if everyone's already seen this, but the general technique should be reasonably easy to make a Chrome plugin for, and significantly reduces the need to store any password on disk, encrypted or not.

Have a look at http://crypto.stanford.edu/PwdHash/. And correspondingly, https://www.pwdhash.com/.

I tend to avoid the problem of browser-stored passwords by using a program on my PDA for storing passwords in a database encrypted with a single password. It's not integrated into my laptop, much less my browser, so I wind up having to type my passwords into the browser. It's not convenient, but I've never really trusted that the appropriately crafted javascript won't be able to read any arbitrary file my login account has permission to read and send it off to some random website.

I don't trust Firefox's security model. Javascript is used both by plugins which can do anything they like, and by websites which supposedly can't, based on complicated sandboxing techniques. I highly doubt that the sandboxing is perfect.