Complete master password 1.0 Requires Restart
by Kysic
The goal is to avoid to have to enter the master password on application startUp.
The extension is not self-sufficient, a script has to extract the master for a secure storage like gnome-keyring, then to transfer it through an environment variable.
About this Add-on
from a secure storage (gnome-keyring) unlocked when I open my gnome session
(see https://github.com/mvhaen/node-xkeychain/blob/master/platforms/gkeyring.py for more information on how to extract a password
from gnome-keyring).
Then the script launch the mozilla program with a command like :
masterPassword=[The password] firefox
Thus my password are supposed to be secure when my computer is shutdown and I have to re-enter my password
when I start Firefox or Thunderbird.
The principle is very basic (and not optimized), the extension detect the window asking for the password and submit it automatically with the environnement variable "masterPassword" if it's present.
The environnement variable is then overwrite to avoid simple user to use "show password" fonctionnality (it's not a robust hack,
but it can be usefull if you just let your computer 30 seconds out of sight without locking it).
Because of this functioning, you may see a blink on the application startup at the moment the password is automatically submited.
Recommendations :
- Do not used without a tool to store your master password ciphered and lock by another password or credentials.
- This extension is a compromised between security and ease of use. It supposed to be safer to have this extension installed and a master password than no master password. But it's certainly more secure to have a master password without this extension or better, not to store any password in firefox or thunderbird.
- Use a randomly generetad masterPassword, or at least not the same as for your personnal email account by example.
Git-hub repository : https://github.com/Kysic/CompleteMasterPassword