Closed Natanji closed 5 years ago
quassy
commented
7 years ago I'll try to make this extension work with Chrome and Edge. As both don't support sidebars the next version will ship as a toolbar button (Firefox will continue to have the sidebar as an option). Chrome version is already working, Edge should be close too.
Problem is submitting extensions for Edge seems to be quite restricted and not open for the general public...
Natanji
commented
7 years ago It's possible to install Edge extensions from file: https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides/adding-and-removing-extensions
Also, the general public can submit Edge extensions at https://aka.ms/extension-request to get them into the Windows Store. It does seem like they have higher standards there than when you publish a General Windows Store app, since they manually review it.
The Pwdhash Firefox Extension had the nice feature that just pressing F2 in a password field would hash it before sending - do you think you can implement a similar feature, so one doesn't ever need to copypaste the password (thereby filling the clipboard - which all apps on a Computer can usually Access unrestricted - with senstive info)?
quassy
commented
7 years ago Yes tried installing from file already, but apparently I need to make some further changes to make it work with Edge.
I don't know if you know (I didn't which is why I started this), but the development of the original PwdHash extension is continued as a WebExtension which is avalaible on AMO and supports typing @@ as well as the F2 shortcut. (This is one of the reasons I use another shortcut so both extensions are compatible and you can use the sidebar as an easier to reach fallback if you prefer the original implementation.)
On copypasting: I'm split if this is worse or better for security. The problem with the original PwdHash is that it generates your hash inside the web page you enter your password, which I imagine could allow malicious websites to sniff what you enter (1). My extension on the other hand only pastes a finished hash to the clipboard (and no intermediate hashes from when you have entered your password halfway) which can only be grabbed if you have a malicious app installed (and then probably all your key strokes will get recorded).
To be honest, the security of PwdHash in general is doubtful if you don't use unique and strong passwords per site (1, 2, 3).
quassy
commented
5 years ago The new Edge should support Chrome extensions out of the box, so I will close this for now.
It would be amazing if Edge could be supported, or if there could be some other Integration into Windows 10 PCs with the default configuration. The Stanford Pwdhash implementation has a Windows universal app which is here: https://github.com/mgutekunst/WP8-PwdHash, by the way.