Browserpass is a Chrome & Firefox extension for zx2c4's pass, a UNIX based password manager. It retrieves your decrypted passwords for the current domain and allows you to auto-fill login forms, as well as copy it to clipboard. If you have multiple logins for the current site, the extension shows you a list of usernames to choose from.
It uses a native binary written in Golang to do the interfacing with your password store. Secure communication between the binary and the browser extension is handled through native messaging.
- A recent version of Chrome, Chromium or Firefox 50+.
- Pass (on UNIX)
- Your password filename must match your username or your file must have a line starting with
login:,user:orusername:, followed by your username.
Examples
$ pass website.com/johndoe
the-password
$ pass website.com
the-password
login: johndoeStart out by downloading the latest release package for your operating system. Prebuilt binaries for 64-bit OSX & Linux and Windows are available. Arch users can install browserpass from the AUR.
All release files are signed with this PGP key. To verify the signature of a given file, use $ gpg --verify <file>.sig.
It should report:
gpg: Signature made ...
gpg: using RSA key 8053EB88879A68CB4873D32B011FDC52DA839335
gpg: Good signature from "Maxim Baz <...>"
gpg: aka ...
Primary key fingerprint: EB4F 9E5A 60D3 2232 BB52 150C 12C8 7A28 FEAC 6B20
Subkey fingerprint: 8053 EB88 879A 68CB 4873 D32B 011F DC52 DA83 9335
- Extract the package to where you would like to have the binary.
- Run
./install.sh(.\install.ps1on Windows) to install the native messaging host. If you want a system-wide installation, run the script withsudo. For Windows, system-wide installation can be done by running.\install.ps1as Administrator and specifying "yes" at the "Install for all users?" prompt.
Installing the binary & registering it with your browser through the installation script is required to allow the browser extension to talk to the local binary application.
If you already use pass under WSL and prefer to have a single copy of your password store, you can use browserpass through WSL as well.
- Install the Windows host application (see previous section) as well as the Linux host application (under WSL).
- Create
%localappdata%\browserpass\browserpass-wsl.batwith the following contents:
@echo off
bash -c ~/.browserpass/browserpass-linux64
If you installed the Linux host application in a location different from ~/.browserpass, replace that path in the above script.
- Change the path in
%localappdata%\browserpass\browserpass-firefox.json(or-chrome.json) to point tobrowserpass-wsl.bat
If your GPG key has a password, the host application running under WSL won't be able to unlock it since it can't interactively prompt for the password. This means you can't decrypt any passwords unless you've already got the key loaded in gpg-agent.
As a workaround, you can use the key (pass website.com) in a WSL terminal to load the key into gpg-agent. Then browserpass will work until gpg-agent times out (it is possible to configure larger timeouts, check manual for gpg-agent).
You can either install the Chrome extension from the Chrome Web Store or drag the chrome-browserpass.crx file from the release package into the Chrome Extensions (chrome://extensions) page.
You can install the Firefox extension from the Mozilla add-ons site. Please note that you will need Firefox 50 or higher.
Click the lock icon or use Ctrl+Shift+L to fill & submit your login info for the current site.
- Chrome allows changing the shortcut via chrome://extensions > Keyboard shortcuts.
- Firefox unfortunately does not allow changing the default shortcut.
- Firefox supports the keyboard shortcut only since version 53.
Navigate through the list of available credentials with Tab / Shift+Tab or with arrow keys.
Click on the username or password buttons to copy them to clipboard. Keyboard shortcuts are also available, use Ctrl+C to copy password of the selected entry and Shift+C to copy the username.
Browserpass aims to protect your passwords and computer from malicious or fraudulent websites.
- To protect against phishing, only passwords matching the origin hostname are suggested or selected without an explicit search term.
- To minimize attack surface, the website is not allowed to trigger any extension action without user invocation.
- Only data from the selected password is made available to the website.
- Given full control of the non-native component of the extension, the attacker can extract passwords stored in the configured repository, but can not obtain files elsewhere on the filesystem or reach code execution.
Check out Contributing.
MIT Licensed.