如何在Chrome扩展程序中安全地存储密码？ [英] How to store a password as securely in Chrome Extension?

问题描述

我现在正在编写一个Chrome扩展程序，它可以自动填充与Chrome自动填充类似的凭据（在这种情况下，Chrome的自动填充功能会失败）。

是否有安全的存储方式localstorage中的用户名/密码（所有客户端）？如果我加密密码，密钥是不是本地存储以及有效地使加密无用？

实际上，我希望用户的凭据与他们一样安全如果Chrome本身将密码存储在其密码管理器中。

编辑：将加密密码存储在localstorage中，并将密钥存储在扩展目录中的文本文件中安全的想法？

解决方案

这是一个避雷针问题。请参阅 http://blog.elliottkember.com/chromes-insane-password-security-策略获取更多信息。与Chrome最相符的位置将鼓励用户使用全盘加密，并在离开已登录的计算机时锁定其屏幕。像扩展名（或浏览器）这样的用户级代码很难正确实现安全存储，其中正确意味着抵制任何人都可以从互联网上下载的密码恢复工具。

b
$ b

您应该提交功能请求。可能会公开一个系统级的API，它可以提供类似于底层操作系统钥匙串的安全性。

I'm writing an Chrome extension right now which autofills credentials similar to Chrome's autofill (in which case Chrome's autofill fails).

Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won't the key be locally stored as well effectively making the encryption useless?

Effectively, I want the user's credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.

EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?

解决方案

This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome's would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It's difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where "properly" means "resistant to a password-recovery utility that anyone can download from the internet."

You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS's keychain.

这篇关于如何在Chrome扩展程序中安全地存储密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！