In the previous post of this series I talked about pass, the desktop utility I use in Ubuntu Mate 22.04 as password manager. I recommend you to read that post first in case you are unfamiliar with the concept of password manager or password store.
Today I'd like to talk about Browserpass, a browser extension that allows you to auto-fill or copy to clipboard credentials for the current domain, protecting you from phishing attacks.
Installation
In my case, my browser of choice is Chrome, so I can install the extension from Chrome Web Store, which will provide auto-updates.
For other browsers and/or operating systems, check installation details.
In order to use Browserpass you must also install a companion native messaging host, which provides an interface to the password store.
The package webext-browserpass available for Debian-based distributions is reported to work only for Chromium and Firefox, so I had to install the host app manually.
Install the dependencies that you will need to build the app locally:
$ sudo apt install golang-go curl
Go to the releases page, scroll down to the Assets section, click on "Show all {n} assets" and download the file you need. Choose either the source code file, if you want to compile the app yourself, or a file for your operating system containing a pre-built binary. In my case, I downloaded the .tar.gz file for a Linux system with a 64-bit processor.
I highly recommend you to verify the signature of that file using GPG. Follow these instructions.
After having verified the downloaded file, uncompress it:
$ cd ~/Downloads
$ tar -xf browserpass-linux64-{latest version}.tar.gz
Access to the container directory and run following command to configure the host app:
$ cd browserpass-linux64-{latest version}
$ make BIN=browserpass-linux64 configure
/usr/bin/sed -i 's|"path": ".*"|"path": "'"/usr/bin/browserpass-linux64"'"|' browser-files/chromium-host.json
/usr/bin/sed -i 's|"path": ".*"|"path": "'"/usr/bin/browserpass-linux64"'"|' browser-files/firefox-host.json
To install the host app you'll need root privileges:
$ sudo make BIN=browserpass-linux64 install
[sudo] password for david:
/usr/bin/install -Dm755 -t "/usr/bin/" browserpass-linux64
/usr/bin/install -Dm644 -t "/usr/lib/browserpass/" Makefile
/usr/bin/install -Dm644 -t "/usr/share/licenses/browserpass/" LICENSE
/usr/bin/install -Dm644 -t "/usr/share/doc/browserpass/" README.md
/usr/bin/install -Dm644 browser-files/chromium-host.json "/usr/lib/browserpass/hosts/chromium/com.github.browserpass.native.json"
/usr/bin/install -Dm644 browser-files/chromium-policy.json "/usr/lib/browserpass/policies/chromium/com.github.browserpass.native.json"
/usr/bin/install -Dm644 browser-files/firefox-host.json "/usr/lib/browserpass/hosts/firefox/com.github.browserpass.native.json"
And that's it.
Bear in mind that it's expected that you keep both components up to date, as most improvements require changing code in both browser extensions and the host application.
Configuration
Pin the extension in the browser:
Right click on the Browserpass icon:
You'll find a few configurable settings, such as the location of the GPG key or the location of the password store:
Besides, you can choose between the dark and the light theme too:
Check the project page for more details about all the options available to configure this extension.
Usage
Conventions
Browserpass recommends following some conventions to organize the password store.
One such convention would be that in order to benefit of phishing attack protection, a password entry file, or any of its parent folders, must contain a full domain name (including TLD like .com) and optionally port in their name in order to automatically match a website. Although entries which don't contain such a domain in their name may still be manually selected.
Some good examples:
$ pass
Password Store
├── accounts.google.com
├── amazon.com
└── github.com
├── personal
└── work
In the project page you'll find more conventions expected by this extension.
Shortcuts
Click on the extension icon or use Ctrl + Shift + L to open the Browserpass popup with the entries that match the current domain.
You can also use Ctrl + Shift + F to fill the form with the best matching credentials without even opening the popup. The best matching credentials are the first ones on the list if you open the popup.
Those shortcuts are configurable. In Chrome, you can go to chrome://extensions/shortcuts:
This extension provides the following keyword shortcuts:
| Shortcut | Action |
Ctrl + Shift + L | Open Browserpass popup |
Ctrl + Shift + F | Fill the form with the best matching credentials |
Enter | Submit form with currently selected credentials |
Arrow keys and Tab / Shift + Tab | Navigate popup list |
Ctrl + C | Copy password to clipboard (will clear in 60 seconds) |
Ctrl + Shift + C | Copy username to clipboard (will clear in 60 seconds) |
Ctrl + G | Open URL in the current tab |
Ctrl + Shift + G | Open URL in the new tab |
Backspace (with no search text entered) | Search passwords in the entire password store |
Note that if the cursor is located in the search input field, every shortcut that works on the selected entry will be applied on the first entry in the popup list.
When Browserpass shows entries for a specific domain, either because it matches the domain or because you have used it before for that domain, you will see a badge with the domain name in the search input field:
That means that phishing attack protection is enabled, but if you want to intentionally disable it and search the entire password store for credentials, you must press Backspace to confirm this decision (domain badge will disappear), then use Browserpass normally.
The selected credentials will be remembered and used the next time you go back to the same domain.
Go to the project page once again to find more about password matching and sorting.
Latest release
At the moment of writing, the latest version released is 3.8.0, that brings a long-awaited functionality, allowing users to manage the password store directly from the browser extension.
Although I personally won't use that functionality, it's definitely something worth mentioning.
A new option has been added to the bottom of the popup:
In the form you can add an existing password or generate a random one with desired length and optionally including symbols:
You can edit existing credentials accessing from the Open details option:
And then clicking on the button at the top right of the popup:
You can either delete or update existing credentials:
Security
A reasonable concern could be the security provided by this extension.
As I mentioned before, it protects against phishing by default and it's claimed that it doesn't allow websites to trigger any extension action, without the user directly invoking it.
That being said, bear in mind that Browserpass doesn't attempt to secure the data it stores in browser local storage, it's assumed that users take precautions to protect their local file system (e.g. by using disk encryption).
Conclusion
I really like the simplicity of Browserpass. So far I haven't needed anything more than what it offers, although I must admit that it took me a while until I finally managed to configure properly the host app. Assuming your OS is Ubuntu and your browser is Chrome, you won't have the same problem after reading the content of this post, so it should be a pretty smooth experience for you.
In the next post of this series I'll talk about the mobile apps I use in combination with pass.
Thank you for reading and see you in the next one!