Easy Passwords released as a Web Extension

I’ve finally released Easy Passwords as a Web Extension (not yet through AMO review at the time of writing), so that it can continue working after Firefox 57. To be precise, this is an intermediate step, a hybrid extension meant to migrate data out of the Add-on SDK into the Web Extension part. But all the functionality is in the Web Extension part already, and the data migration part is tiny. Why did it take me so long? After all, Easy Passwords was created when Mozilla’s Web Extensions plan was already announced. So I was designing the extension with Web Extensions in mind, which is why it could be converted without any functionality changes now. Also, Easy Passwords has been available for Chrome for a while already.

The trouble was mostly the immaturity of the Web Extensions platform, which is why I chose to base the extension on the Add-on SDK initially (hey, Mozilla used to promise continued support for the Add-on SDK, so it looked like the best choice back then). Even now I had to fight a bunch of bugs before things were working as expected. Writing to clipboard is weird enough in Chrome, but in Firefox there is also a bug preventing you from doing so in the background page. Checking whether one of the extension’s own pages is open? Expect this to fail, fixed only very recently. Presenting the user with a file download dialog? Not without hacks. And then there are some strange keyboard focus issues that I didn’t even file a bug for yet.

There is still plenty more bugs and inconsistencies. For example, I managed to convert my Enforce Encryption extension so that it would work in Chrome, but it won’t work in Firefox due to a difference in the network stack. But Mozilla’s roadmap is set in stone, Firefox 57 it is. The good news: it could have been worse, Microsoft Edge shipped with an even more immature extensions platform. I complained about difficulties presenting a file download dialog to the user? In Edge, there are three bugs playing together nicely to make this task completely impossible: 1, 2, 3.


  • Atrons

    This sounds great! I almost began questioning whether it was a good choice to start using Easy Passwords only for it to become incompatible after half a year of usage.
    Do you see a chance for making the extension compatible with Firefox for Android? That is my main pain point right now — I am currently using the static web page right now (with some custom CSS, to make it more touch-friendly and Material-y). But it is a bit annoying to always enter the master password and the fact that the resulting password is displayed in plain text also makes it a bit insecure with shoulder surfers. Hm… I suspect I could just add Clipboard.js to solve the latter issue. The former issue could also be worked around, by storing the password in Firefox’s password manager but that completely defeats the purpose.

    Wladimir Palant

    It has been a while since I tried that extension with Firefox Mobile, but as far as I am aware the main issue is the icon pop-up, there is no support for this kind of UI (https://bugzilla.mozilla.org/show_bug.cgi?id=1370333). One could open the “pop-up” in a tab as a work-around but filling in passwords would be quite awkward then. But eventually this extension will certainly run on Firefox Mobile.

    I also have thoughts about a standalone Android app, which would be more advanced than the webpage you are using right now. In particular, it should autocomplete website names and display the available passwords. That might take a while however, also because sync functionality is a prerequisite here.

  • Radar Gast

    Thank you for this great tool. I was looking for a handsome and offline working PW managing tool like this for some time, and now : here it is.
    Working very pretty with Opera.
    One question: what kind of encryption does it use to encrypt the passwords? Did not find such informaton.

    Wladimir Palant

    Generated passwords (the default) are not being stored at all. We currently use PBKDF2 algorithm to derive them from the master password, switching to scrypt algorithm here is in progress (see https://github.com/palant/easypasswords/issues/58). You can read more about the concept behind this in my other blog post, https://palant.de/2016/04/20/security-considerations-for-password-generators.

    Legacy passwords and password notes are being stored, currently encrypted with AES-256-CBC. Encrypting the entire data storage (including user names which aren’t relevant for security) is work in progress, we will switch to AES-256-GCM while at it (see https://github.com/palant/easypasswords/issues/47).

  • Radar Gast

    That sounds all very good. Thanks for the quick reply!