The one with a password manager: Browserpass

The one with a password manager: Browserpass

In the previous post of this series I talked about pass, the desktop utility I use in Ubuntu Mate 22.04 as password manager. I recommend you to read that post first in case you are unfamiliar with the concept of password manager or password store.

Today I'd like to talk about Browserpass, a browser extension that allows you to auto-fill or copy to clipboard credentials for the current domain, protecting you from phishing attacks.


In my case, my browser of choice is Chrome, so I can install the extension from Chrome Web Store, which will provide auto-updates.

For other browsers and/or operating systems, check installation details.

In order to use Browserpass you must also install a companion native messaging host, which provides an interface to the password store.

The package webext-browserpass available for Debian-based distributions is reported to work only for Chromium and Firefox, so I had to install the host app manually.

Install the dependencies that you will need to build the app locally:

$ sudo apt install golang-go curl

Go to the releases page, scroll down to the Assets section, click on "Show all {n} assets" and download the file you need. Choose either the source code file, if you want to compile the app yourself, or a file for your operating system containing a pre-built binary. In my case, I downloaded the .tar.gz file for a Linux system with a 64-bit processor.

I highly recommend you to verify the signature of that file using GPG. Follow these instructions.

After having verified the downloaded file, uncompress it:

$ cd ~/Downloads
$ tar -xf browserpass-linux64-{latest version}.tar.gz

Access to the container directory and run following command to configure the host app:

$ cd browserpass-linux64-{latest version}
$ make BIN=browserpass-linux64 configure
/usr/bin/sed -i 's|"path": ".*"|"path": "'"/usr/bin/browserpass-linux64"'"|' browser-files/chromium-host.json
/usr/bin/sed -i 's|"path": ".*"|"path": "'"/usr/bin/browserpass-linux64"'"|' browser-files/firefox-host.json

To install the host app you'll need root privileges:

$ sudo make BIN=browserpass-linux64 install
[sudo] password for david:
/usr/bin/install -Dm755 -t "/usr/bin/" browserpass-linux64
/usr/bin/install -Dm644 -t "/usr/lib/browserpass/" Makefile
/usr/bin/install -Dm644 -t "/usr/share/licenses/browserpass/" LICENSE
/usr/bin/install -Dm644 -t "/usr/share/doc/browserpass/"
/usr/bin/install -Dm644 browser-files/chromium-host.json   "/usr/lib/browserpass/hosts/chromium/com.github.browserpass.native.json"
/usr/bin/install -Dm644 browser-files/chromium-policy.json "/usr/lib/browserpass/policies/chromium/com.github.browserpass.native.json"
/usr/bin/install -Dm644 browser-files/firefox-host.json    "/usr/lib/browserpass/hosts/firefox/com.github.browserpass.native.json"

And that's it.

Bear in mind that it's expected that you keep both components up to date, as most improvements require changing code in both browser extensions and the host application.


Pin the extension in the browser:

Browserpass extension pinned

Right click on the Browserpass icon:

Browserpass extension menu

You'll find a few configurable settings, such as the location of the GPG key or the location of the password store:

Browserpass extension options

Besides, you can choose between the dark and the light theme too:

Browserpass extension dark theme

Browserpass extension light theme

Check the project page for more details about all the options available to configure this extension.



Browserpass recommends following some conventions to organize the password store.

One such convention would be that in order to benefit of phishing attack protection, a password entry file, or any of its parent folders, must contain a full domain name (including TLD like .com) and optionally port in their name in order to automatically match a website. Although entries which don't contain such a domain in their name may still be manually selected.

Some good examples:

$ pass
Password Store
    ├── personal
    └── work

In the project page you'll find more conventions expected by this extension.


Click on the extension icon or use Ctrl + Shift + L to open the Browserpass popup with the entries that match the current domain.

You can also use Ctrl + Shift + F to fill the form with the best matching credentials without even opening the popup. The best matching credentials are the first ones on the list if you open the popup.

Those shortcuts are configurable. In Chrome, you can go to chrome://extensions/shortcuts:

Browserpass configurable shortcuts

This extension provides the following keyword shortcuts:

Ctrl + Shift + LOpen Browserpass popup
Ctrl + Shift + FFill the form with the best matching credentials
EnterSubmit form with currently selected credentials
Arrow keys and Tab / Shift + TabNavigate popup list
Ctrl + CCopy password to clipboard (will clear in 60 seconds)
Ctrl + Shift + CCopy username to clipboard (will clear in 60 seconds)
Ctrl + GOpen URL in the current tab
Ctrl + Shift + GOpen URL in the new tab
Backspace (with no search text entered)Search passwords in the entire password store

Note that if the cursor is located in the search input field, every shortcut that works on the selected entry will be applied on the first entry in the popup list.

When Browserpass shows entries for a specific domain, either because it matches the domain or because you have used it before for that domain, you will see a badge with the domain name in the search input field:

Browserpass badge with the domain name

That means that phishing attack protection is enabled, but if you want to intentionally disable it and search the entire password store for credentials, you must press Backspace to confirm this decision (domain badge will disappear), then use Browserpass normally.

Browserpass showing previously selected credentials for a given domain although the domain doesn't match

The selected credentials will be remembered and used the next time you go back to the same domain.

Go to the project page once again to find more about password matching and sorting.

Latest release

At the moment of writing, the latest version released is 3.8.0, that brings a long-awaited functionality, allowing users to manage the password store directly from the browser extension.

Although I personally won't use that functionality, it's definitely something worth mentioning.

A new option has been added to the bottom of the popup:

Browserpass allows to add new credentials

In the form you can add an existing password or generate a random one with desired length and optionally including symbols:

Browserpass dedicated form to add new credentials

You can edit existing credentials accessing from the Open details option:

Browserpass allows to edit existing credentials

And then clicking on the button at the top right of the popup:

Browserpass option to edit credentials

You can either delete or update existing credentials:

Browserpass dedicated form to delete or update credentials


A reasonable concern could be the security provided by this extension.

As I mentioned before, it protects against phishing by default and it's claimed that it doesn't allow websites to trigger any extension action, without the user directly invoking it.

That being said, bear in mind that Browserpass doesn't attempt to secure the data it stores in browser local storage, it's assumed that users take precautions to protect their local file system (e.g. by using disk encryption).


I really like the simplicity of Browserpass. So far I haven't needed anything more than what it offers, although I must admit that it took me a while until I finally managed to configure properly the host app. Assuming your OS is Ubuntu and your browser is Chrome, you won't have the same problem after reading the content of this post, so it should be a pretty smooth experience for you.

In the next post of this series I'll talk about the mobile apps I use in combination with pass.

Thank you for reading and see you in the next one!