tags:

views:

92

answers:

1
+1  Q: 

Storage of passwords in Google Chrome Extension.

I started reading Google Chrome's documentation, and liked it's approach of using HTML and Javascript to create extensions. Reading this tutorial about Local Storage made me think about a lot of different uses.

I want to develop an extension to help me with corporate systems. It's very specific, and it's only going to be used inside a company.

This extension would do some activities to this corporate system, using javascript DOM, with just one click on Google's Chrome toolbar. To work with just one click, the extension needs to store a password in Chrome: so if you restart your system, you don't need to enter it again.

How do I do that? Persist a password in a Google Chrome extension to login to another system? I don't want to store it in "plain text", I would like to at least use some king of encryption (maybe a Google Chrome API with this resource).

Is it possible? How to persist this data with Google Chrome's extensions structure (best way)?

+2  A: 

You could encrypt and store a user’s password with localStorage (or the Web SQL Database API). But not very securely. Anyone who gained access to the user’s computer could retrieve the ciphertext, pluck the encryption algorithm out of your extension source, and determine the plaintext password.

If feasible, here are a couple more bulletproof solutions:

  • Piggyback on the user logging into a web interface. For an example, see the Google Mail Checker.

  • Connect to the services through OAuth (or a similar authorization scheme). For an example, see the Google Wave Notifier.

byoogle  2010-07-16 21:30:28
All source code from my google chrome extension are available through the browser? If not, I could the files with encryption with root permissions.
Somebody still uses you MS-DOS  2010-07-19 13:44:06
Yeah. Just like you can any webpage, you can view the source of any extension. (Doing so is trickier in the case of an extension, though — you have to unzip the “.crx” file or install the extension and find the unzipped files on your machine.)
byoogle  2010-07-19 18:09:54
I didn't understand your answer... so if I make all Chrome's folders only with root priviligies, the user can still view the source from Chrome itself (like running view source in the browser)?
Somebody still uses you MS-DOS  2010-07-19 19:52:21
I take it from this question you have sysadmin privileges where the extension would be deployed? Still, no matter what you did, a sophisticated user could find a way to get the source of your extension. The mechanics might not be as simple as opening context menus and selecting “View page source” a bunch of times because you’d probably be running a background page, which isn’t visibly rendered. But all the code could be surfaced through the browser’s developer tools (or possibly, the unzipping methods I mentioned above).
byoogle  2010-07-20 08:09:07

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords