0

There is a website that annoyingly doesn't save passwords.

I had to create this unsafe, unsecured script (which I run with Greasemonkey) to save the password:

// ==UserScript==
// @name        example.comAutomation
// @include     *example.com/*
// ==/UserScript==

if ( document.location.href == "https://subdomain.example.com/" ) {
    document.querySelector("#x").value = "myEmail";
  document.querySelector("#y").value = "myPassword";
  document.querySelector("#z").click();
}

if ( document.location.href == "https://subdomain.example.com/overview" ) {
    console.log(window.location.href);
  document.location.href = "https://example.com/list"  
}

Assuming I don't want to use an external passwords management software (PMS).

How could I secure the code above with hashing in Greasemonkey somehow?

Hardening the operating systems is always good, of course.

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
Osi
  • 1
  • 3
  • 9
  • 30
  • The duplicate answer would have to be adjusted slightly for GM4, but you would be [smarter to switch to Tampermonkey anyway](https://www.greasespot.net/2017/09/greasemonkey-4-for-users.html). – Brock Adams Apr 10 '18 at 19:14
  • I don't see this as a duplicate question, as the OP asked to use **hashing** to **secure** the code. The framework in the suggested answer doesn't use hashes and is insecure because it stores the encrypted username and password in the same place as the encryption key. This means that the credentials can easily be decrypted by an attacker that can either maliciously change the script, or access the Indexed DB storage where Greasemonkey 4 stores all its scripts and data (e.g. via `about:debugging` in recent Firefox versions). – JRI Apr 28 '18 at 20:35
  • I can't add answers as the question is locked, but a better solution would be to have the userscript encrypt and store the credentials itself using a more memorable passphrase as the key, but store the hash of this key, not the key itself. The hash is used to check the passphrase is entered correctly, but can't be used for decryption on its own. Alternatively, if you trust Firefox's built-in password manager, have the userscript add a new log-on form to the page using simple HTML. Firefox will then prompt to save the credentials itself, and store them encrypted under its master password. – JRI Apr 28 '18 at 20:36

0 Answers0