我应该如何安全地存储密码，并在Chrome扩展使用HTTP认证 [英] How should I securely store passwords and use http auth in a chrome extension

问题描述

我在做，需要从安全服务器获取一个XML文件中的Chrome扩展程序。

I'm making a chrome extension that requires fetching an xml file from a secure server.

我目前使用XMLHtt prequest（），以向服务器调用

I'm currently using XMLHttpRequest() to make a call to the server

https://username:password@mydomain.com

返回的XML对象我可以分析和显示。我想这个扩展可用的不仅仅是我的爱好使用较多，所以它需要一个选项页面设置并存储用户名和密码。

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

我应该如何存储用户密码，在Chrome中，以便它是安全的？铬具有全局每个扩展，允许扩展的作者存储数据的本地存储，但它存储在纯文本。它不允许扩展访问忘记了密码的存储（具有良好的原因）。

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).

和在那里做HTTP认证更安全的方式？我目前的做事方式需要以纯文本的每个函数被调用时传递用户名/密码的URL，即使验证会话尚未过期。

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.

推荐答案

一个想法：问一个键，您可以使用将它们放在面前的localStorage对称加密值用户。您还可以生成基于他的机器/浏览器/等的某些独特方面每个客户端的唯一密钥。

An idea: ask the user for a key, which you can use to symmetrically encrypt the values before putting them in localStorage. You could also generate a unique key per client based on certain unique aspects of his machine/browser/etc.

这篇关于我应该如何安全地存储密码，并在Chrome扩展使用HTTP认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！