If the password field isn't in the top-level document then filling in password will fail. It's questionable however whether recursing into frames is the right things to do, particularly for different origin frames: not only are there technical issues (content script cannot access frame contents), it's unclear whether the frame is supposed to get the password in the first place (consider third-party widgets). Possible solutions:

1. Just put the password into any frames regardless.
2. Only put the password into first-party frames (meaning using the same base domain).
3. Tell the user that they have to do it manually. The assumption is of course that the user can decide whether the password frame is legit which they normally cannot.

I am leaning towards the second solution.

Easy Passwords 1.0.0 / Firefox 45.0.2 64-BIT / Windows 7SP1 Home 64-BIT

Unable here to enter a master password. Whatever I input and confirm, the password is not registered.

If I overcome this issue I'll have to know as well how to deal with installed passwords already handled by Firefox's password manager. I mean : there are several points to know when it comes to transferring the password management from one tool to another.

It would be nice to be able to use this tool for non-website passwords. It seems this can be done now by simply storing multiple unrelated passwords for one website. Can you make this easier? (Would you encourage me to take a stab at it?)

the password generation mechanism and the exported file format shoud be specified so that other "clients" could be written, even in other language.

One could imagine

• android client with custom keyboard like for example keepass2android - this would address #37
• linux client like pass

and others

Some Firefox issue is preventing downloading backups right now (tested in Nightly). Clicking a blob: link results in replacing the current document with an empty eternally loading one. Clicking a data: link replaces the current document with the JSON viewer. The download attribute doesn't appear to have an effect for some reason. Whether the link is visible doesn't matter, so it has to be something else.

Currently, the only way to sync two devices is exporting the passwords metadata to a file, moving that file to the other device and importing it there. This isn't a very convenient way of doing it.

The same thing can be automated using some file sharing service, e.g. Dropbox. Only password metadata will be synced, meaning that no sensitive data gets uploaded and sync only works if master password is identical for both devices. When the user sets up sync they will have to authorize Easy Passwords with their Dropbox account (limited permissions, app-specific folder only). Easy Passwords can then check the data in its Dropbox folder regularly, e.g. once per hour - downloading remote changes and uploading local ones.

Security considerations here:

• Token flow can be used to avoid having client secret in the open. This method requires a redirect URI however, and data: URIs won't work. So it seems that we need to construct some kind of an invalid HTTP URL, maybe http://0.0.0.0/ which should definitely not result in an actual HTTP request.
• OAuth2 access token has to be stored unencrypted in order for the sync to work without entering the master password. There are no data loss issues here as it only grants access to the same metadata which is already available locally. However, losing OAuth2 access token will allow an attacker to perform a denial-of-service attack on devices that haven't been breached, either by removing all passwords or by modifying passwords data so that generated passwords no longer match up. Given that a compromised device can generally push changes to all other devices this issue seems to be inherent to any syncing functionality.

Conflict resolution:

• A sync consists of three operations: reading remote data, merging data locally, uploading modified remote data. A conflict occurs if another device syncs at the same time and the remote data is replaced after the current device reads it but before it can upload its modifications.
• Dropbox's file versioning solves the problem nicely. So when the remote data is retrieved x-dropbox-metadata header can be evaluated in order to find the revision of the data. When the modified version is uploaded, parent_rev parameter should be specified to ensure that only that revision can be replaced (also autorename=false).
• If the file cannot be replaced we will receive 409 response code, we should retry the sync then. A random back-off interval is probably a good measure here, not really required however.

Merging changes should work as following:

• If remote data doesn't have a password that exists locally: was the password added locally after the last sync?
  • If yes: add the password in remote data.
  • If no: remove the password locally.
• If remote data has a password but local data doesn't: was the password removed locally after last sync?
  • If yes: modify remote data to mark that password as removed.
  • If no: add the password locally.
• If both remote data and local data have a password but parameters differ: was the password added locally after the last sync?
  • If yes: replace the password in remote data, use local data.
  • If no: replace the password in local data, use remote data.

The only additional data structure needed locally here should be passwords touched since last sync, including passwords that got removed - passwords that were touched win over remote changes, the ones that weren't get remote changes applied. Note: when the sync is set up initially all passwords need to be marked as touched, otherwise they might be removed on sync.

I'm (hopefully!) going to migrate over from LastPass, but since I have been using LastPass for some time I have a lot of passwords and notes to migrate.

LastPass provides a way to export data to a CSV file and it would be great if I could import that straight into Easy Passwords.

I recently was forced to use mac for some months. In windows, I used to be able to fill in a password with just the keyboard. However in mac, once the easy passwords panel opens, i cannot use tab to select the "Wand". Here is screencast - https://youtu.be/gy11X-BLLto

During the discussion for issue #22 we decided to add the ability to store notes and additional form field values for passwords. Initially we will just add the ability to store notes and that's what this issue is about.

Here's @palant's design from that discussion, tweaked to remove anything unrelated / out-dated:

• We have additional metadata on the passwords, it is optional however. Additional metadata is encrypted in the data storage.
• There should be one more icon next to the password saying "Notes" in the tooltip. It's probably best to place it on the right side of the password name in the listing so it's clearly different from the password retrieval icons but one still wouldn't click on the delete icon by mistake.
• By default, this icon should be partially transparent. It should only be black if any data exists there.
• The view should show the site and password name as text. There should be a label "Notes:" followed by a multi-line text area - for arbitrary text notes. There should be two buttons: "Save" and "Cancel."
• All passwords page needs to indicate when a password has stored form notes. This data is encrypted so there should be an additional button to show the notes, similar to actual passwords.

I don’t know whether EasyPasswords updates itself automatically or not but pasting passwords has recently stopped working, possibly after an auto-update. (Screenshot below.) Restarting the browser (Chrome) doesn’t help. EasyPasswords still allows copying passwords to clipboard.

Error message: “The operation failed unexpectedly. The message port closed before a response was received.”

I don’t know how this is related but another change in behaviour appeared at the same time: EasyPasswords used to auto-lock itself but now it doesn’t. I had to set auto-locking in options manually to bring back the original behaviour. Such changes are slightly disconcerting and make me wonder whether someone was tinkering with my browser.

P.S. It’s an ingenious extension and I love Mr. Palant for creating it. It’s perfect in every way and, I guess, superior to every other password keeping solution. I created this GitHub account only to report this bug. Before EasyPasswords, creating throwaway accounts was an untenable task, and requirements to register discouraged me from using many websites.

I'm using firefox nightly (currently 55.0a1 (2017-06-02) (64 bits)) and the UI is totally broken:

Hi there sir!

For the website - https://itunesconnect.apple.com/ - we use this for submitting iOS apps. Clicking auto-fill is giving "not found" error. Here is screenshot -

Right now, the site name can be edited but submitting it won't do anything. This functionality needs to be changed as follows:

1. Editing shouldn't be possible if passwords exist. An error message should show up explaining that websites with passwords cannot be turned into aliases.
2. If new site name is submitted, the original name should become the alias of the new name and new password list should be loaded.
3. There should be a submit button so that the site name can be saved by other means than pressing Enter.
4. If an alias is already in effect editing the site's name shouldn't be possible. Instead, the alias should be displayed along with a button to revert it.

I am trying out the extension and noticed it stores the list of passwords generated. I would prefer to disable that and rely on regenerating the passwords everytime, so there is no central list of websites I visit/usernames available. Is this possible?

#13 indicated one scenario where crypto could fail, there might be more. While the errors coming from crypto aren't very informative, we should probably show something to the user instead of failing silently (users aren't likely to see/understand the Browser Console message).

I focused the text field, then clicked fill in. I expected it to fill just the currently focused field. But it filled out all 3 fields. I was changing my password, so it overwrote the old password field.

https://www.textnow.com/account#/changepassword

Opening the panel creates an empty entry for the current website, even if no password is generated. This is unnecessary.

Currently, there is only a length requirement for the master password - at least 6 characters. Given that master password security is essential, there should be at least an indicator recommending more seucire passwords when the master password is set.

With LastPass it's pretty useful how the current URL for the website is automatically entered when you store a new password. It's stored along with the record which means that the extension has more context than just the hostname when deciding which credentials to offer / auto-fill. It also gives more context for the user, so they can remember exactly which page credentials are for. (I usually find myself deleting the query strings however, they are rarely useful and look messy.)

So how about we add an extra field in Easy Password when creating a new password to do something similar? The path part of the URL could be automatically entered, but it would still be editable should the user need control. To start with this field would just be there to give the user a little more context, but in the future it might be used by the extension itself to decide which password to fill for a page.

Secondly I found the name field kind of confusing, I found myself asking "what is this for, what am I supposed to type?" and was kind of annoyed when the default blank string wasn't allowed. How about the name defaults to the domain or is simply optional? (I think if the path part of the URL was stored the name string would often be less vital anyway.)

When a website requires you to change your password you will currently need to go and create a new password for the same user name: enter all the same parameters, increase revision number by one. This is unnecessary effort that should be automated.

We need to implement a "context menu" triggered by an icon next to the password name, adding a new icon for each feature just doesn't work any more. One of the items in this context menu should say "Generate new password for this name." Once clicked, the view will switch to the "generate password" page with the user name already filled in and revision field visible. If the original password was a generated password then the generation parameters are taken over, otherwise they are set to the default. The revision of the original password (or 1 if it is a legacy password) is incremented until the user name/revision combination is available.

The user should usually only click "Generate password" then in order to create a new password.

The details are still to be determined. However, it's clearly important to store the user name in addition to the password. It should be filled in automatically as well. Password name cannot be used as user name (at least not in all cases) - some websites require frequent password changes, so password name needs to change. UI-wise it will probably boil down to an optional "User name (if different from password name)" field.

To be determined:

• Should the user name be editable?
• Do we want the user to select the form field (= field name) or should we try to guess?

Usually, the user name field should be the one preceding the password field - is this a safe assumption?

While the passwords overview page sorts the sites alphabetically, with a sufficient number of websites finding the right one might get tiresome. Navigation shortcuts have to be displayed at the top - A B C D E ..., each linked to the first site starting with the corresponding letter.

May you please add a hotkey. It's easy to just hit hotkey and type master password. It would be awesome with this feature - #42 - so as soon as I type that master password then it auto fills.

First of all, thanks so much for creating a password generator with a focus on security :) It's about time that someone writes a usable and modernized version of pwdhash.

One of the things that made pwdhash so useful IMO is the fact that you could use it everywhere. That means having a Chrome extension for it, but also, and perhaps more importantly, having a JS version of it on https://www.pwdhash.com that runs the same algorithm in client-side JS.

Obviously, it's much weaker to use that site from a security point of view, but it's the ultimate convenience for when you need to access your password using someone else's browser. It would also enable occasional use in browsers that don't have an EasyPasswords extension.

Steps to reproduce:

1. Go to about:addons.
2. Click Easy Passwords icon.
3. Enter master password if necessary.

Expected results: Adding passwords not possible until a real website is set.

Actual results: Passwords can be added and will be associated with a website called "???".

On Windows you see disabled scroll bars in the password list even if there are no passwords defined.

The string in en-US.properties:

password-type-legacy = Legacy password\nPassword encrypted and stored

becomes this in messages.json:

"password_type_legacy": {
  "message": "Legacy password\\nPassword encrypted and stored"
}

(Note the extra back slash.)

I've just installed the add-on (version 1.0.1) in my Firefox 45.0.2 on Windows 7. When going to the options screen the text mentions there's an online version available but that text is not a link (as it is on https://palant.de/2016/04/19/easy-passwords) so it's a bit hard to find that online version :)

Reset the master password on a website where you have passwords defined. After the new password is accepted you will get to the passwords list - with your old passwords still listed, even though these have been purged from the data.

locale/en-US.properties:

Enter legacy passwort should be Enter legacy password

When I click the export button on the all passwords page nothing happens. Well that's no true, it seems to populate the exportData element with a data URI, but nothing happens as far as the user's concerned.

I'm using Chrome 57 and building the devbuild from dc4191d.

Each call to resize() produces a change in horizontal size on Windows but not OS X. This is because the panel adds two pixels when measuring document size - this is necessary on OS X as the Add-on SDK won't size the panel correctly otherwise, this issue doesn't seem to exist on Windows however.

Perhaps this is a subjective thing, but to me the password import and export buttons on the all passwords page are the wrong way around. I consider the box to be my Easy Password vault, therefore the icon with the arrow going into the box should be import and an arrow going out of the box should be export.

It should be possible to show the passwords (after accepting a warning of course), in order for those to be printed as a paper backup.

Hi,

From what I've read, I understand that the extension uses the username as the salt. Would it be possible to add an option to write our own salt for that website?
Currently, I can add my own salt by writing it instead of the username, but by doing that, I cannot then use the option to auto-fill the username on that website and I'd like to, as it's a lot faster.

Thanks

easy passwords is not presented on the android addons page.
Do you plan to make it compatible with firefox for android?

Currently when you browse to a website and then open the Easy Passwords panel it says "Website name:" and then displays the website's domain below. If Easy Passwords couldn't figure out the domain you can click a link, type the domain, click OK and then view those passwords. It's useful how the current domain is populated, but very annoying to look up passwords or notes for other domains. Especially a problem with things like www. subdomains. That requires using the "all passwords" interface, which is cumbersome especially for a large number of entries.

LastPass has a search input there instead, which is very useful. As you type into the box the results are filtered and displayed immediately, so you can very quickly find what you want. On the bad side the current website's domain isn't populated automatically, so the user often has to type that in manually.

For the standard panel view I suggest that we remove the "Website name:" header completely, also the "Enter website name manually" interface. Then replace the website name field with an text input which can always be edited by the user. I think the field should continue to be populated with the current hostname automatically, but instead of only results which match exactly it should show any matches for domains which contain the string entered. When the user types or changes the value the results should be updated automatically. Here's a dummy screenshot to show what I mean.

Some questions:

• How can we change the password / note list so that it's clear which domains records are associated with?
• How can we change the "Generate new password" and "Enter legacy password" interface so that it still works with this change?

So that a new password can be generated for a record without changing its user name or other details we have a revision field. The "Generate new password for this user name" button allows the revision to be conveniently adjusted for a record.

Since the revision field serves no purpose for legacy passwords it seems wrong to display the "Generate new password for this user name" button for them.

Each time I want to test a change I have to:

1. Type gulp build-chrome
2. Switch to Chrome, select the extensions tab, select to refresh the extension.
3. Click the Easy Password icon and re-enter my (long) master password.

It would be nice if I only had to perform step 1.

Resetting master password will currently warn that passwords will be reset but not actually do it. So the password data becomes bogus after changing master password.

Steps to reproduce:

1. Click "Generate new password" on some website.
2. Click "Cancel"

Expected results: you get back to the password list without any error messages.

Actual results: sometimes the message "Please enter an arbitrary password name." appears and you need to click "Cancel" again.

I had a hard time trying to figure out how to use this feature, since I couldn't find any documentation about this.

After some trial-and-error, here are some quick instructions:

1. Click on the Easy Passwords icon.
2. Under "Website Name", click on the edit notepad icon.
3. Edit the website name to whatever website you use for the main login. For example, if your main login is to example.com, and you land on a subdomain such as a.example.com and share the same login credentials as the main site, you should edit the website name from a.example.com to example.com.
4. Save.

Hope that helps.

Thanks for creating this project, @palant!

It's currently unnecessarily hard to choose which one to click.

I was having a play with the code this evening, attempting to improve the "all passwords" page interface. I wanted to add a search input text box with the placeholder text of "Search Vault". Reading online it seemed that adding a property allpasswords-search.placeholder = Search Vault would do the trick, but that resulted in the following error when Chrome attempted to load the extension:

Failed to load extension from: ~/code/easypasswords/build-chrome
Name of a key "allpasswords_search.placeholder" is invalid. Only ASCII [a-z], [A-Z], [0-9] and "_" are allowed.

So it seems there's no way to localise attributes at the moment. I guess we need to handle the attribute syntax in toChromeLocale somehow, perhaps replacing the final . with a double underscore __? Then we could add some logic to chrome/data/i18n.js to populate supported attributes.

What do you think?

I need to use some of the passwords generated by easypasswords in mobile apps. Currently that requires me to type the passwords out, which is annoying and error prone.

The best way to get the passwords on mobile is probably an app. But until there is one, a hack could do the trick: You could add an option to display passwords as a QR codes in the extension. Then the passwords could make their way into the mobile device's clipboard through any common barcode scanner app, which is more convenient than typing the passwords out.

On the other hand, a third party app will get access to the passwords this way, I'm not 100% sure if it's a good idea.

Currently all password metadata (username, domain, length, charset) is stored in plaintext.

It has some security implications in case user data got stolen (by malware on local machine or by leak on remote host):

1. Usernames are used as salt so it'll be known to attacker.
2. Username + domain pairs in some cases could be used by attacker to hijack account by password recovery options.

Solution : Encrypt all metadata with AES.

It means that you can't access your data without master password but I don't see usecase which it'll be needed. If you forgot password your data won't help you anyway.

Hi there! Can you please auto fill soon after typing in the master password if the active tab has a password box available and there is only one password saved for that site.

Hi @palant,

In the Firefox extension, occasionally, my EP configuration is wiped out and I'll have to re-add my master password and re-import my EP configuration.

So I'm wondering how EP is storing its data and how I can prevent my configuration from being wiped out in Firefox?

The "Fill in" button will happily enter the password on unencrypted HTTP websites right now. It should warn for such websites, along with a checkbox "don't ask me again on this site" (otherwise people might get used to ignoring the warning).

There should be an "passwords overview" page linked as "Show all passwords" from the passwords list. It should show all passwords for all websites as a table, along with their generation parameters. It should allow showing the actual passwords (for printing, as a paper backup) and exporting/importing the data.