How to safely store passwords with greasemonkey?

Question

I wrote a Greasemonkey script, it prompts users to store login and password to avoid the need of re-enter it again and again.

I know localStorage.setItem(); to store a key and a value, but the password will be stored as clear text. So, what is the best practice to store a password?

Is there any API to store it in the browser ? I need to be able to revert the hash (if I need to hash) because the script implement autologin on a website, and I need the clear password to do so.

Thanks by advance.

Hashes are, by definition, irreversible. You probably meant "encryption". — Piskvor left the building, Dec 07 '10 at 20:49
Do not use GM for this (it will be a huge security hole). Install and use [Secure Login](https://addons.mozilla.org/en-US/firefox/addon/4429/) or a similar extension. — Brock Adams, Dec 08 '10 at 00:15
@brock-adams : I can't use a ff extension while it's a userscript, and I can't ask people to install this. — Gilles Quénot, Dec 11 '10 at 19:31

score 4 · Accepted Answer · edited May 23 '17 at 12:18

GreaseMonkey and JS are not the right tools for this - there are numerous problems in keeping passwords secure, some of which aren't really solvable in JS (due to its browser sandbox limits).

You could encrypt the password(s) using AES (or some other encryption scheme) - there are AES implementations in JS. However, they are slower than native code, and you'd need to enter the AES passphrase on every page where the password(s) would be needed (if you stored the passphrase somewhere, or stored some token "passphrase was valid", you're back to square one).

As GM is intended for extending in-page JavaScript, its options in security are very limited. If you're trying to save your web passwords securely, I'd suggest some kind of browser extension - there are numerous for existing password managers.

How to safely store passwords with greasemonkey?

1 Answers1