0

I am making an extension that needs to keep a profile of the user so it can pull the right information from various servers when the user logs in.

So I found this post: Storage of passwords in Google Chrome Extension . I don't find it too helpful.

I believe that if I could store a hash of the user's login password (unique to my extension) I could then use the password as a key to encrypt all their personal information. I am concerned about the comment made in the post I referenced, saying that, they could read the source code of the extension and work out the hash.

Is my idea feasible? And if so, what should I use? Or other suggestions?

Community
  • 1
  • 1
unixsnob
  • 1,685
  • 2
  • 19
  • 45
  • 1
    What are you trying to achieve? Any information on the client side that is encrypted is useless to you or the user unless you also provide the means to decrypt it on the client-side, which defeats the purpose of encryption. Store it securely on the server and secure your connection with HTTPS. – Robert Harvey Apr 04 '13 at 18:03
  • Where you will use this idea? I mean encryption. Why it needed in client side –  Apr 04 '13 at 18:04
  • @RobertHarvey it is a profile containing subscriptions for advertisement channels. I am building a prototype that does analytics on the client side and caches the ads. The reason for keeping it encrypted on site is so I don't need a trusted server, and thus the information is always controlled by the client. I guess I could just accept that the client is trusted and then accept that only the right person has access to it. – unixsnob Apr 05 '13 at 10:49
  • What if I use a C library that I call from Javascript? In that way the source wouldn't be that available... – unixsnob Apr 05 '13 at 10:50
  • I think the best solution to my question is using the `Use Case 1` that appears in this question: http://stackoverflow.com/questions/7123511/what-are-the-valid-use-cases-for-client-side-encryption – unixsnob Apr 05 '13 at 13:22

2 Answers2

0

It sort of depends on what the passwords are used for. If they are bank accounts, for example, it might be worth a bad guy's time to look at your javascript and figure out how to decrypt the file. That is what it would take to look at the encrypted contents.

If the contents are passwords to something not very valuable, you can do this sort of thing.

If the contents are valuable, you need to do the encrypting on a server somewhere and not in the client using javascript. Doing that almost always requires that you store them too, though it is possible to pass do the encryption on the server and store the data on the client.

Lee Meador
  • 12,829
  • 2
  • 36
  • 42
0

You should not store personal information or password in localStorage because anyone having access to the computer can access this information easily. Even if it's encrypted it can be easily decrypted by inspecting the source code (source code of an extension can be viewed easily by anyone).

One solution is to store the information on a server and use a third party login (Google, Facebook) to authenticate user instead of a password.

Uzair Farooq
  • 2,402
  • 3
  • 24
  • 37