LastPass support for passwords

[SebastienGllmt]

A few community members have asked us to be able to use LastPass and other password management tools to manage their password for Yoroi. I haven't looked into what changes need to be done to support this but probably it's some small HTML change

[ckjpdx]

Newbie here I think this FAQ answer may do it. But I am unfamiliar with the project, so if you can help me locate the component or file that handles the HTML for the password input I can attempt to add some of those attributes in there. Maybe then LastPass will recognize the inputs?

[SebastienGllmt]

@ckjpdx The best way to find which file a component is in is by inspecting the HTML. As you can see from this screenshot below, most HTML elements have a class that is prefixed with the name of the file they're from

[ebeloded]

Before anyone spends any more time on this: A short answer to the proposed question is that adding support for a password manager is currently impossible for security reasons.

This question will inevitably be coming up again, so here is a detailed explanation, which may deserve a place in Yoroi FAQ.

Password managers, such as 1Password, LastPass, or Dashlane work in browsers by injecting what's called a content script into (almost) every page in the browser. The injected script searches for what looks like a login form on the page and either proposes to fill it out or suggests to save the login/password to fill the login form on next visit.

This functionality is very convenient, and arguably necessary to avoid password reuse. It should, however, be used in conjunction with 2FA when available.

That being said, it is very easy to build an extension that tracks any sensitive information (such as passwords) and sends it to its creator. To install such extension the attacker will need only a couple of seconds at a victim's computer without requiring a password.

Content scripts can be inserted in any page with an URL that starts with one of permitted schemes (ftp,http,https,file). Yoroi loads as an extension background page with chrome-extensions schema, which doesn't allow any content scripts. This security feature makes Yoroi protected against the described type of attack and more secure than a web page based wallet.

Here are the docs about permitted schemes: https://developer.chrome.com/extensions/match_patterns.

PS. A good argument can be made for making Yoroi available as a web page, but that is a different topic, not for this issue.

[ebeloded]

This is a bit too much for the FAQ, so here is the gist (open for edits):

Q: Why my password manager (1Password, LastPass, Dashlane) doesn't work in Yoroi? A: Yoroi wallet works in an isolated environment where content scripts, which allow password manager functionality, don't execute. This feature makes Yoroi more secure than web page based wallets.

[SebastienGllmt]

Ah yes cross-extension communication is a pain. We can probably solve this issue in the same way we do for Trezor & Ledger -- embed an iframe inside Yoroi and the iframe does nothing but receive the password from LastPass. Once it receives the password, it sends a message back up to Yoroi which then Yoroi inputs into the password field.

It's kind of an ugly thing to code and also it's unfortunate it means you also have to host the iframe on some domain which increases your surface of attack. I'll remove the good first issue tag on this and leave it around until our next meeting on Tuesday where we can decide if we want to just close the issue or not. Thank you both for the investigation!