{"id":13435637,"url":"https://github.com/browserpass/browserpass-extension","last_synced_at":"2026-01-26T22:26:55.631Z","repository":{"id":37579902,"uuid":"128682851","full_name":"browserpass/browserpass-extension","owner":"browserpass","description":"Browserpass web extension","archived":false,"fork":false,"pushed_at":"2025-07-25T21:09:34.000Z","size":1491,"stargazers_count":940,"open_issues_count":63,"forks_count":62,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-07-26T04:37:49.993Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/browserpass.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-04-08T21:20:20.000Z","updated_at":"2025-07-25T21:30:38.000Z","dependencies_parsed_at":"2024-10-27T18:14:09.252Z","dependency_job_id":"46a042b7-9a13-4dec-8007-5ccec92bdd6a","html_url":"https://github.com/browserpass/browserpass-extension","commit_stats":null,"previous_names":[],"tags_count":37,"template":false,"template_full_name":null,"purl":"pkg:github/browserpass/browserpass-extension","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/browserpass%2Fbrowserpass-extension","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/browserpass%2Fbrowserpass-extension/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/browserpass%2Fbrowserpass-extension/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/browserpass%2Fbrowserpass-extension/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/browserpass","download_url":"https://codeload.github.com/browserpass/browserpass-extension/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/browserpass%2Fbrowserpass-extension/sbom","scorecard":{"id":254797,"data":{"date":"2025-08-11","repo":{"name":"github.com/browserpass/browserpass-extension","commit":"f4fffcdbbfc53fb8949be414e9fd94aac5de07ab"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.5,"checks":[{"name":"Code-Review","score":5,"reason":"Found 14/28 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"7 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: ISC License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: browserpass-extension-3.11.0.tar.gz.asc: https://github.com/browserpass/browserpass-extension/releases/tag/3.11.0","Info: signed release artifact: browserpass-chromium-3.10.2.zip.asc: https://github.com/browserpass/browserpass-extension/releases/tag/3.10.2","Info: signed release artifact: browserpass-chromium-3.10.1.zip.asc: https://github.com/browserpass/browserpass-extension/releases/tag/3.10.1","Info: signed release artifact: browserpass-chromium-3.10.0.zip.asc: https://github.com/browserpass/browserpass-extension/releases/tag/3.10.0","Info: signed release artifact: browserpass-chromium-3.9.0.zip.asc: https://github.com/browserpass/browserpass-extension/releases/tag/3.9.0","Warn: release artifact 3.11.0 does not have provenance: https://api.github.com/repos/browserpass/browserpass-extension/releases/235296843","Warn: release artifact 3.10.2 does not have provenance: https://api.github.com/repos/browserpass/browserpass-extension/releases/210615731","Warn: release artifact 3.10.1 does not have provenance: https://api.github.com/repos/browserpass/browserpass-extension/releases/209539432","Warn: release artifact 3.10.0 does not have provenance: https://api.github.com/repos/browserpass/browserpass-extension/releases/209462203","Warn: release artifact 3.9.0 does not have provenance: https://api.github.com/repos/browserpass/browserpass-extension/releases/191145601"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T09:23:09.633Z","repository_id":37579902,"created_at":"2025-08-17T09:23:09.633Z","updated_at":"2025-08-17T09:23:09.633Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28789735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T21:49:50.245Z","status":"ssl_error","status_checked_at":"2026-01-26T21:48:29.455Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:00:37.659Z","updated_at":"2026-01-26T22:26:55.619Z","avatar_url":"https://github.com/browserpass.png","language":"JavaScript","funding_links":[],"categories":["HarmonyOS","JavaScript","Interfaces","others"],"sub_categories":["Windows Manager","All other extensions"],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"images/logotype-horizontal.png\"\u003e\u003c/p\u003e\n\n# Browserpass - browser extension\n\nBrowserpass is a browser extension for [zx2c4's pass](https://www.passwordstore.org/), a UNIX based password store manager. It allows you to auto-fill or copy to clipboard credentials for the current domain, protecting you from phishing attacks.\n\nIn order to use Browserpass you must also install a [companion native messaging host](https://github.com/browserpass/browserpass-native), which provides an interface to your password store.\n\n![demo](https://user-images.githubusercontent.com/1177900/56079873-87057600-5dfa-11e9-8ff1-c51744c75585.gif)\n\n## Table of Contents\n\n- [Requirements](#requirements)\n- [Installation](#installation)\n - [Verifying authenticity of the Github releases](#verifying-authenticity-of-the-github-releases)\n- [Updates](#updates)\n- [Usage](#usage)\n - [Organizing password store](#organizing-password-store)\n - [First steps in browser extension](#first-steps-in-browser-extension)\n - [Available keyboard shortcuts](#available-keyboard-shortcuts)\n - [Password matching and sorting](#password-matching-and-sorting)\n - [Searching password entries](#searching-password-entries)\n - [OpenID authentication](#openid-authentication)\n - [Modal HTTP authentication](#modal-http-authentication)\n - [Password store locations](#password-store-locations)\n- [Options](#options)\n - [A note about autosubmit](#a-note-about-autosubmit)\n - [OTP](#otp)\n - [A note about OTP](#a-note-about-otp)\n - [OTP Usage](#otp-usage)\n- [Usage data](#usage-data)\n- [Security](#security)\n- [Privacy](#privacy)\n- [Requested permissions](#requested-permissions)\n- [FAQ](#faq)\n - [Error: Unable to fetch and parse login fields](#error-unable-to-fetch-and-parse-login-fields)\n - [How to use the same username and password pair on multiple domains](#how-to-use-the-same-username-and-password-pair-on-multiple-domains)\n - [Why Browserpass on Firefox does not work on Mozilla domains?](#why-browserpass-on-firefox-does-not-work-on-mozilla-domains)\n- [Building the extension](#building-the-extension)\n - [Build locally](#build-locally)\n - [Load an unpacked extension](#load-an-unpacked-extension)\n- [Contributing](#contributing)\n\n## Requirements\n\n- The latest stable version of Chromium or Firefox, or any of their derivatives.\n- The latest stable version of gpg (having `pass` or `gopass` is actually not required).\n- A password store that follows certain [naming conventions](#organizing-password-store)\n\n## Installation\n\nIn order to install Browserpass correctly, you have to install two of its components:\n\n- [Native messaging host](https://github.com/browserpass/browserpass-native#installation)\n- Browser extension for Chromium-based browsers (choose one of the options):\n - Install using a package manager for your OS (which will provide auto-update and keep extension in sync with native host app):\n - Arch Linux: [browserpass-chromium](https://www.archlinux.org/packages/community/any/browserpass-chromium/), [browserpass-chrome](https://aur.archlinux.org/packages/browserpass-chrome/)\n - Debian: [webext-browserpass](https://packages.debian.org/stable/webext-browserpass) includes Chromium extension\n - Install the extension from [Chrome Web Store](https://chromewebstore.google.com/detail/browserpass/naepdomgkenhinolocfifgehidddafch) (which will provide auto-updates)\n - Download `browserpass-webstore.crx` from the latest release and drag'n'drop it into `chrome://extensions`\n - This extension has the same ID as the one in Chrome Web Store, so when a new version will appear in Web Store, it will auto-update! Use if you want to be on latest and greatest version.\n - Download `browserpass-github.crx` from the latest release and drag'n'drop it into `chrome://extensions`\n - This extension has a different ID comparing to the one in Chrome Web Store, so you will not receive any auto-updates! Use for creating distro packages, or if you simply don't tolerate being forced to update when a new version is released.\n - Download `browserpass-chromium.zip`, unarchive and use `Load unpacked extension` in `chrome://extensions` in Developer mode.\n- Browser extension for Firefox-based browsers (choose one of the options):\n - Install using a package manager for your OS (which will provide auto-update and keep extension in sync with native host app):\n - Arch Linux: [browserpass-firefox](https://www.archlinux.org/packages/community/any/browserpass-firefox/)\n - Debian: [webext-browserpass](https://packages.debian.org/stable/webext-browserpass) includes Firefox extension\n - Install the extension from [Firefox Add-ons](https://addons.mozilla.org/en-US/firefox/addon/browserpass-ce/) (which will provide auto-updates)\n - Download `browserpass-firefox.zip` from the latest release, unarchive and use `Load Temporary Add-on` on `about:debugging#addons` (remember the extension will be removed after browser is closed!).\n\n### Verifying authenticity of the Github releases\n\nAll release files are signed with a PGP key that is available on [maximbaz.com](https://maximbaz.com/), [keybase.io](https://keybase.io/maximbaz) and various OpenPGP key servers. First, import the public key using any of these commands:\n\n```\n$ curl https://maximbaz.com/pgp_keys.asc | gpg --import\n$ curl https://keybase.io/maximbaz/pgp_keys.asc | gpg --import\n$ gpg --recv-keys 56C3E775E72B0C8B1C0C1BD0B5DB77409B11B601\n```\n\nTo verify the signature of a given file, use `$ gpg --verify \u003cfile\u003e.asc`.\n\nIt should report:\n\n```\ngpg: Signature made ...\ngpg: using EDDSA key 04D7A219B0ABE4C2B62A5E654A2B758631E1FD91\ngpg: Good signature from \"Maxim Baz \u003c...\u003e\"\ngpg: aka ...\nPrimary key fingerprint: 56C3 E775 E72B 0C8B 1C0C 1BD0 B5DB 7740 9B11 B601\n Subkey fingerprint: 04D7 A219 B0AB E4C2 B62A 5E65 4A2B 7586 31E1 FD91\n```\n\n## Updates\n\nIf you installed the extension from a webstore, you will receive updates automatically.\n\nIf not, repeat the installation instructions for the extension.\n\n**IMPORTANT:** Majority of the improvements require changing code in both browser extensions and the [host application](https://github.com/browserpass/browserpass-native#updates). It is expected that you will make sure to keep both components up to date.\n\n## Usage\n\n### Organizing password store\n\nBrowserpass was designed with an assumption that certain conventions are being followed when organizing your password store.\n\n1. In order to benefit of phishing attack protection, a password entry file, or any of its parent folders, must contain a full domain name (including TLD like `.com`) and optionally port in their name in order to automatically match a website. However, entries which do not contain such a domain in their name may still be manually selected.\n\n File names are not allowed to contain `\\` or `/` characters, because both of them are considered to be path separators.\n\n Some good examples:\n\n ```\n ~/.password-store/\n accounts.google.com.gpg\n amazon.com.gpg\n github.com/\n personal.gpg\n work.gpg\n ```\n\n1. Password must be defined on a line starting with `password:`, `pass:` or `secret:` (case-insensitive), and if all of these are absent, the first line in the password entry file is considered to be a password.\n\n1. Username must be defined on a line starting with `login:`, `username:`, or `user:` (case-insensitive), and if all of these are absent, default username as configured in browser extension or in `.browserpass.json` of specific password store, and finally if everything is absent the file name is considered to be a username.\n\n1. OpenID URL must be defined on a line starting with `openid:` (case-insensitive).\n\n1. URL ([only](#password-matching-and-sorting) used for [modal HTTP authentication](#modal-http-authentication)!) must be defined on a line starting with `url:`, `uri:`, `website:`, `site:`, `link:` or `launch:` (case-insensitive).\n\nIf there are entries in your password store that you do not wish to see via Browserpass, you can ignore them by setting the `ignore` option in `.browserpass.json`. This is defined as either a string, or an array of strings, using the standard `.gitignore` syntax. Any matching files or directories will be completely ignored.\n\n### First steps in browser extension\n\nClick on the icon or use \u003ckbd\u003eCtrl+Shift+L\u003c/kbd\u003e to open the Browserpass popup with the entries that match the current domain. You can also use \u003ckbd\u003eCtrl+Shift+F\u003c/kbd\u003e to fill the form with the best matching credentials without even opening the popup (the best matching credentials are the first ones on the list if you open the popup).\n\nHow to change the shortcut:\n\n- Chromium: `chrome://extensions/shortcuts`\n- Firefox: `about:addons` \u003e Gear icon \u003e `Manage Extension Shortcuts`\n\nWhen Browserpass shows entries for a specific domain, you will see a badge with the domain name in the search input field:\n\n![image](https://user-images.githubusercontent.com/1177900/54785353-52046a00-4c26-11e9-8497-8dc50701ddc4.png)\n\nIf you want to intentionally disable phishing attack protection and search the entire password store for credentials, you must press \u003ckbd\u003eBackspace\u003c/kbd\u003e to confirm this decision (domain badge will disappear), then use Browserpass normally.\n\n### Available keyboard shortcuts\n\nNote: If the cursor is located in the search input field, every shortcut that works on the selected entry will be applied on the first entry in the popup list.\n\n| Shortcut | Action |\n| ---------------------------------------------------- | ----------------------------------------------------- |\n| \u003ckbd\u003eCtrl+Shift+L\u003c/kbd\u003e | Open Browserpass popup |\n| \u003ckbd\u003eCtrl+Shift+F\u003c/kbd\u003e | Fill the form with the best matching credentials |\n| \u003ckbd\u003eEnter\u003c/kbd\u003e | Submit form with currently selected credentials |\n| Arrow keys and \u003ckbd\u003eTab\u003c/kbd\u003e / \u003ckbd\u003eShift+Tab\u003c/kbd\u003e | Navigate popup list |\n| \u003ckbd\u003eCtrl+C\u003c/kbd\u003e | Copy password to clipboard (will clear in 60 seconds) |\n| \u003ckbd\u003eCtrl+Shift+C\u003c/kbd\u003e | Copy username to clipboard (will clear in 60 seconds) |\n| \u003ckbd\u003eCtrl+G\u003c/kbd\u003e | Open URL in the current tab |\n| \u003ckbd\u003eCtrl+Shift+G\u003c/kbd\u003e | Open URL in the new tab |\n| \u003ckbd\u003eBackspace\u003c/kbd\u003e (with no search text entered) | Search passwords in the entire password store |\n\n### Password matching and sorting\n\nWhen you first open the Browserpass popup, you will see a badge with the current domain name in the search input field:\n\n![image](https://user-images.githubusercontent.com/1177900/54785353-52046a00-4c26-11e9-8497-8dc50701ddc4.png)\n\nThis means that phishing attack prevention is enabled, and Browserpass is only showing you entries from your password store that match this domain.\n\nIn order for Browserpass to correctly determine matching entries, it is expected that your password store follows naming conventions (see [Organizing password store](#organizing-password-store)). In particular your file or folder name must contain a domain with a valid TLD, i.e. not `github.gpg`, but `github.com.gpg`. If an attacker directed you to `https://github.co/login` (notice `.co`), Browserpass will **not** present `github.com` entry in the popup. However if you intentionally want to re-use the same credentials on multiple domains (e.g. `amazon.com` and `amazon.co.uk`), see [How to use the same username and password pair on multiple domains](#how-to-use-the-same-username-and-password-pair-on-multiple-domains).\n\nBrowserpass will display entries for the current domain, as well as all parent entries, but not entries from different subdomains. Suppose you are currently on `https://v3.app.example.com`, Browserpass will present all the following entries in popup (if they exist): `v3.app.example.com`, `app.example.com`, `example.com`; but it will not present entries like `v2.app.example.com` or `wiki.example.com`.\n\nBrowserpass can also distinguish credentials meant for different ports, so for example an entry `example.com.gpg` will show up in Browserpass popup when you browse `example.com` on any port, however an entry `example.com:8080.gpg` will only show up on `8080` port.\n\nFinally Browserpass will also present entries that you have recently used on this domain, even if they don't actually meet the usual matching requirements. Suppose you have a password for `amazon.com`, but you open `https://amazon.co.uk`, at first Browserpass will present no entries (because nothing matches `amazon.co.uk`), but if you hit \u003ckbd\u003eBackspace\u003c/kbd\u003e, find `amazon.com` and use it to login, next time you visit `https://amazon.co.uk` and open Browserpass, `amazon.com` entry will already be present.\n\nThe sorting algorithm implemented in Browserpass will use several intuitions to try to order results in the most expected way for a user:\n\n1. If Browserpass was previously used on this domain, the first entry in the list will always be the most recently used one.\n1. The rest of the available password entries will be sorted by the frequency of their usage, the more times a password was used, the higher it will be in the list.\n1. Password entries with the identical usage counts are sorted by number of domain levels (specificity), i.e. `wiki.example.com` will be above `example.com`.\n1. If all the above is equal, password entries are sorted alphabetically.\n\n### Searching password entries\n\nThe search box allows you to filter the list of currently displayed password entries in the popup. If you are searching for a password entry that is not already visible (for example if it doesn't match the current domain), first press \u003ckbd\u003eBackspace\u003c/kbd\u003e to disable phishing attack protection and search the entire password store (see [First steps in browser extension](#first-steps-in-browser-extension) for details).\n\nThe search algorithm combines fuzzy and substring filtering approaches to achieve the most optimal results. The matching parts of each result are highlighted in a different color.\n\nThe first word in the search term activates the fuzzy filtering and takes into consideration password store name, folder and password entry name:\n\n![fuzzy-search](https://user-images.githubusercontent.com/1177900/56358004-9b23eb80-61dd-11e9-9af9-3583c7969732.png)\n\nAll subsequent words in the search term additionally filter our the remaining results using a substring filtering on folder and password entry name.\n\nIf you would prefer to use substring search only, simply enter a space character prior to your search term - this disables fuzzy search entirely.\n\n### OpenID authentication\n\nOpenID is often used when someone doesn't trust (or doesn't want to need to trust) a website with their authentication credentials. For this reason, to prevent leaking credentials Browserpass considers OpenID and username+password authentications mutually exclusive: when `openid:` field is present in a password entry, Browserpass will _only_ attempt to fill the OpenID field in a form, it will not even attempt to fill username and password fields, even if they are also present in the password entry, even if a website contains username and password fields in a login form.\n\n### Modal HTTP authentication\n\nDue to the way browsers are implemented, browser extensions are only able to fill modal credentials (e.g. a popup for basic HTTP auth) for a website if the website in question has been opened by the extension. For this reason alone Browserpass contains functionality to open a URL associated with a password entry in the current or a new browser tab. However, please note that Browserpass is not intended as a bookmark manager.\n\nIf you want Browserpass to handle modal authentication, follow these steps:\n- Create a password store entry with a `url:` field indicating which website to open.\n (Alternative field names are: `uri:`, `website:`, `site:`, `link:`, and `launch:`; this is case-insensitive.)\n- Open the browserpass submenu, search for that entry, and hit \u003ckbd\u003eCtrl+G\u003c/kbd\u003e or \u003ckbd\u003eCtrl+Shift+G\u003c/kbd\u003e.\n\nThis will cause Browserpass to open the target site, and transparently intercept and fill the authentication request. You will not normally see a login popup unless the credentials are incorrect.\n\n### Password store locations\n\nBrowserpass is able to automatically detect your password store location: it first checks the `$PASSWORD_STORE_DIR` environment variable. If that variable is not defined, it falls back to `$HOME/.password-store`.\n\nUsing the `Custom store locations` setting in the browser extension options, you are able to define one or more custom locations for password stores. There are no restrictions on where these may be located; they can be subfolders of the main password store, gopass mounts, or any other folder that contains password entries.\n\n#### OTP usage\n\nTOTP seeds may be provided either as an otpauth URL (e.g. `otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP\u0026issuer=Example`) or as a plain seed (e.g. `totp: JBSWY3DPEHPK3PXP`). Please note that the plain form is unsuitable for any TOTP implementation that does not use a period of 30 seconds and a length of 6 digits.\n\nThe generated OTP code will be automatically copied to the clipboard immediately after the login form is filled. It can also be viewed without copying to the clipboard by clicking on the Browserpass popup, then entering the \u003e details screen for the login entry in question.\n\n## Options\n\nThe list of available options:\n\n| Name | Description |\n| --------------------------------------------------------------- | ------------------------------------------------------------- |\n| Automatically submit forms after filling (aka `autoSubmit`) | Make Browserpass automatically submit the login form for you |\n| Enable support for OTP tokens (aka `enableOTP`) | Generate TOTP codes if a TOTP seed is found in the pass entry |\n| Hide badge counter on the toolbar icon (aka `hideBadge`) | Do not show badge with number of matching password entries |\n| Default username (aka `username`) | Username to use when it's not defined in the password file |\n| Custom gpg binary (aka `gpgPath`) | Path to a custom `gpg` binary to use |\n| Custom store locations | List of password stores to use |\n| Custom store locations - badge background color (aka `bgColor`) | Badge background color for a given password store in popup |\n| Custom store locations - badge text color (aka `color`) | Badge text color for a given password store in popup |\n| Ignore items (aka `ignore`) | Ignore all matching logins |\n\nBrowserpass allows configuring certain settings in different places places using the following priority, highest first:\n\n1. Options defined in specific `*.gpg` files, only apply to these password entries:\n - `autoSubmit`\n1. Options defined in `.browserpass.json` file located in the root of a password store:\n - `autoSubmit`\n - `hideBadge`\n - `enableOTP`\n - `gpgPath`\n - `username`\n - `bgColor`\n - `color`\n - `ignore`\n1. Options defined in browser extension options:\n - Automatically submit forms after filling (aka `autoSubmit`)\n - Enable support for OTP tokens (aka `enableOTP`)\n - Hide badge counter on the toolbar icon (aka `hideBadge`)\n - Default username (aka `username`)\n - Custom gpg binary (aka `gpgPath`)\n - Custom store locations\n - Custom store locations - badge background color (aka `bgColor`)\n - Custom store locations - badge text color (aka `color`)\n\n### A note about autosubmit\n\nWhile we provide autosubmit as an option for users, we do not recommend it. This is because, while Browserpass' fill logic is robust and usually reliable, it occasionally gets things wrong and fills something (typically the username) into a field or form where it doesn't belong. If autosubmit is enabled, then this can result in Browserpass _automatically submitting_ sensitive credentials into something that isn't a login form.\n\nAs the demand for autosubmit is extremely high, we have decided to provide it anyway - however it is disabled by default, and we recommend that users do not enable it.\n\n### OTP\n\n#### A note about OTP\n\nTools like `pass-otp` make it possible to use `pass` for generating OTP codes, however keeping both passwords and OTP URI in the same location diminishes the major benefit that OTP is supposed to provide: two factor authentication. The purpose of multi-factor authentication is to protect your account even when attackers gain access to your password store, but if your OTP seed is stored in the same place, all auth factors will be compromised at once. In particular, Browserpass has access to the entire contents of your password entries, so if it is ever compromised, all your accounts will be at risk, even though you signed up for 2FA.\n\nBrowserpass is opinionated, it does not promote `pass-otp` and by default does not generate OTP codes from OTP seeds in password entries, even though there are other password managers that provide such functionality out of the box.\n\nThere are valid scenarios for using `pass-otp` (e.g. it gives protection against intercepting your password during transmission), but users are strongly advised to very carefully consider whether `pass-otp` is really an appropriate solution - and if so, come up with their own ways of accessing OTP codes that conforms to their security requirements. For the majority of people `pass-otp` is not recommended; using any phone app like Authy will be a much better and more secure alternative, because this way attackers would have to not only break into your password store, but they would _also_ have to break into your phone.\n\nIf you still want the OTP support regardless, you may enable it in the Browserpass settings.\n\n## Usage data\n\nBrowserpass keeps metadata of recently used credentials in local storage and Indexed DB of the background page. This is first and foremost internal data to make Browserpass function properly, used for example to implement the [Password matching and sorting](#password-matching-and-sorting) algorithm, but nevertheless you might find it useful to explore using your browser's devtools. For example, if you are considering to rotate all passwords that you used in the past month (e.g. if you just found out that you had a malicious app installed for several weeks), you can retrieve such list from Indexed DB quite easily (open an issue if you need help).\n\nFor details on how we treat your data and how to remove it, consult [Security](#security) and [Privacy](#privacy) sections.\n\n## Security\n\nBrowserpass aims to protect your passwords and computer from malicious or fraudulent websites.\n\n- To protect against phishing, only passwords matching the origin hostname are suggested or selected without an explicit search term.\n- To minimize attack surface, the website is not allowed to trigger any extension action. Browserpass must be directly invoked by the user.\n- Only data from the selected password entry is made available to the website.\n- Given full control of the non-native component of the extension, an attacker may be able to list and decrypt `.gpg` files that can be accessed by the current user, but cannot execute arbitrary code outside of the browser.\n- Browserpass does not attempt to secure the data it stores in browser local storage, it is assumed that users take precautions to protect their local file system (e.g. by using disk encryption).\n\n## Privacy\n\nBrowserpass does not send any telemetry data. All metadata that is collected in order for the extension to function correctly is stored _only_ in local storage, and never leaves your browser.\n\nThis data is not synchronized between your computers, and upon removing Browserpass extension all the data will be automatically purged by your browser.\n\nIn order to remove all metadata, use the \"Clear usage data\" button in the extension options page or do it using your browser's devtools.\n\n## Requested permissions\n\nBrowserpass extension requests the following permissions:\n\n| Name | Reason |\n| -------------------- | ---------------------------------------------------------------------------------------------------------------- |\n| `activeTab` | To get URL of the current tab, used for example to determine which passwords to show you by default in the popup |\n| `alarms` | To set a timer for clearing the clipboard 60 seconds after credentials are copied |\n| `tabs` | To get URL of a given tab, used for example to set count of the matching passwords for a given tab |\n| `clipboardRead` | To ensure only copied credentials and not other content is cleared from the clipboard after 60 seconds |\n| `clipboardWrite` | For \"Copy password\" and \"Copy username\" functionality |\n| `nativeMessaging` | To allow communication with the native app |\n| `notifications` | To show browser notifications on install or update |\n| `webRequest` | For modal HTTP authentication |\n| `webRequestBlocking` | For modal HTTP authentication |\n| `http://*/*` | To allow using Browserpass on all websites |\n| `https://*/*` | To allow using Browserpass on all websites |\n\n## FAQ\n\n### Error: Unable to fetch and parse login fields\n\nIf you can see passwords, but unable to fill forms or copy credentials, you likely have issues with your `gpg` setup.\n\nFirst things first, make sure that `gpg` and some GUI `pinentry` are installed.\n\n- on macOS many people succeeded with `pinentry-mac`\n- on Linux [users report](https://github.com/browserpass/browserpass-extension/issues/155) that `pinentry-gnome3` does not work well with GNOME 3 and Firefox, use e.g. `pinentry-gtk-2`\n- on Windows WSL people succeded with [pinentry-wsl-ps1](https://github.com/diablodale/pinentry-wsl-ps1)\n\n`pinentry` is the application that asks you your password to unlock PGP key when you for example use `pass`.\n\nThe selected `pinentry` **must have GUI**, console-based (like `pinentry-tty` or `pinentry-curses`) **are not supported** (unless you know what you are doing).\n\nEnsure that `gpg-agent` process is actually running, if not you need to investigate how to enable it.\n\nFinally configure a GUI pinentry program in `~/.gnupg/gpg-agent.conf`:\n\n```\npinentry-program /full/path/to/pinentry\n```\n\nYou will need to restart `gpg-agent` using: `$ gpgconf --kill gpg-agent`\n\nIf Browserpass is unable to locate the proper `gpg` binary, try configuring a full path to your `gpg` in the browser extension settings or in `.browserpass.json` file in the root of your password store:\n\n```json\n{\n \"gpgPath\": \"/full/path/to/gpg\"\n}\n```\n\n### How to use the same username and password pair on multiple domains\n\nThere are several ways to tell Browserpass to use the same pair of credentials on multiple domains, for example how to re-use an existing password entry `amazon.com.gpg` on a `https://amazon.co.uk` website without duplicating your credentials in multiple password files.\n\nThe first option is just to manually find the desired credentials and use them in Browserpass, in other words if you have credentials for `amazon.com`, but you are currently on `https://amazon.co.uk`, open Browserpass, hit \u003ckbd\u003eBackspace\u003c/kbd\u003e to search the entire password store, find `amazon.com` and hit \u003ckbd\u003eEnter\u003c/kbd\u003e to login. Next time you will open Browserpass on `https://amazon.co.uk`, the popup will already contain the `amazon.com` entry, because it was previously used on this website (for details see [Password matching and sorting](#password-matching-and-sorting) section).\n\nThe second option is to create a symlink file `amazon.co.uk.gpg` pointing to `amazon.com.gpg` in your password store, not only Browserpass, but `pass` itself will both recognize the symlink as an existing password entry. It's also possible to symlink an entire directory, rather than individual files.\n\nIf you simply want to re-use the same credentials on multiple subdomains of the same domain (e.g. `app.example.com` and `wiki.example.com`), you can also rename your password entry to a common denominator of the two subdomains, which in this example would be `example.com.gpg` (see [Password matching and sorting](#password-matching-and-sorting)).\n\n### Why Browserpass on Firefox does not work on Mozilla domains?\n\nFirefox has decided to [block all extensions from injecting any content scripts on their domains by default](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts), sadly there's nothing we can do about it. It is possible to disable this behavior on a per-domain basis by changing the `extensions.webextensions.restrictedDomains` setting in `about:config`, however be aware that this affects all extensions, not just browserpass.\n\nThe full list of blocked domains at the time of writing is:\n\n- accounts-static.cdn.mozilla.net\n- accounts.firefox.com\n- addons.cdn.mozilla.net\n- addons.mozilla.org\n- api.accounts.firefox.com\n- content.cdn.mozilla.net\n- content.cdn.mozilla.net\n- discovery.addons.mozilla.org\n- input.mozilla.org\n- install.mozilla.org\n- oauth.accounts.firefox.com\n- profile.accounts.firefox.com\n- support.mozilla.org\n- sync.services.mozilla.com\n- testpilot.firefox.com\n\n## Building the extension\n\n### Build locally\n\nMake sure you have the latest stable Yarn installed.\n\nSee below the list of available `make` goals (check Makefile for more details). Use `gmake` on FreeBSD in place of `make`.\n\n| Command | Description |\n| -------------------- | --------------------------------------------------------------------------------------- |\n| `make` or `make all` | Compile the extension source code, prepare unpacked extensions for Chromium and Firefox |\n| `make extension` | Compile the extension source code |\n| `make chromium` | Compile the extension source code, prepare unpacked extension for Chromium |\n| `make firefox` | Compile the extension source code, prepare unpacked extension for Firefox |\n| `make crx` | Compile the extension source code, prepare packed extension for Chromium |\n\n### Load an unpacked extension\n\n- For Chromium:\n - Go to `chrome://extensions`\n - Enable `Developer mode`\n - Click `Load unpacked extension`\n - Select `browserpass-extension/chromium` directory\n- For Firefox:\n - Go to `about:debugging#addons`\n - Click `Load temporary add-on`\n - Select `browserpass-extension/firefox` directory\n\n## Contributing\n\n1. Fork [the repo](https://github.com/browserpass/browserpass-extension)\n2. Create your feature branch\n - `git checkout -b my-new-feature`\n3. Commit your changes\n - `git commit -am 'Add some feature'`\n4. Push the branch\n - `git push origin my-new-feature`\n5. Create a new pull request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrowserpass%2Fbrowserpass-extension","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrowserpass%2Fbrowserpass-extension","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrowserpass%2Fbrowserpass-extension/lists"}