As I defended against phishing, and wrote a bicycle, but my own

During the days of the “wild” Internet, a lot of spam came to the mail, among them were a lot of phishing emails. For example: “Look at the new post for you on the link on the vkontate website”; “Add friends on the site Odnoklassniki”. Mom and other relatives were on it. Binding to the phone was not there yet, I had to restore accounts all the time, or change passwords. The moment came when I got tired of it and wanted to solve the problem once and for all.
The idea of ​​a plug-in type Web OF Trust came to mind, but there was some suspicion that the red indicator would not stop relatives from entering a password on the left sites. After thinking a little, he came up with another idea, wrote a sketch and put it in chrome. Native said to use only chrome, passwords are not entered anywhere, if not automatically included - then the site is fake, go to the desired site through the bookmarks. Some did not give out their passwords at all :).

I wrote extensions - Autologin. The structure includes only 2 files - manifest.json and content.js.

In manifest, we demanded access to the sites we needed and registered the injected script content.js, its functionality is simple.
Check the url by mask, if appropriate - then check the DOM for the presence of login form elements on the selector, if you have found it, fill it with data and press the submit button.
')
I spent some time to go through the mail.ru, vk, Odnoklassniki sites for the presence of forms, then another hour to register each of their logins and passwords.
Then I was given links to login forms that I missed. Added forms, updated extensions (at that time Chrome did not block developer extensions and they were unpacked in each document).

He also began to use. Added account selection, if there are a lot of them - this is convenient (Google had not yet had the opportunity to switch between accounts). Plus, additional protection against trojans - if anyone crawls through, then nobody knows about my extension, even though the clear text passwords are there. Also, browsers can easily import passwords from each other - this is a bit annoying.
During the use of the extension, no one else account is not increased. I secured myself and my relatives and regained my calm. Now Google has blocked its own extensions, and for all it has turned off. But people have become more intelligent and cautious, and to our time phishing has faded away.

That seems to be the end of history, but the devil pulled me to make a normal user interface for expansion. And all because one friend saw, became interested and asked himself.
Unfortunately, then it did not work for him to put it ...
And what they say about 20% of the effort and 80% of the functional? So this is all 95 by 5!

If we release the expansion into the world, then we need to bring it to mind.
Requirements grew immediately pile:

• Data encryption, different ways: for the lazy and for the paranoid;
• Come up with a data storage structure; 1 account - many sites, many forms;
• Come up with a database update system. It is a lot of sites, it will not be possible to follow everything;
• Synchronization between browsers.

I found the github.com/mdp/gibberish-aes library for encryption.
For lazy people I generate a key, store it in the database and encrypt passwords with it.
For paranoids, I encrypt the key with a master password.
For moderate paranoids - I keep the master password in the RAM and no longer ask.
By the way, can you tell me how secure this encryption is?

To store data, github.com/knadh/localStorageDB is something like mongoDb, a wrapper over localstorage, and it is convenient to do import and export.
To update the form database, I use github, when I start the browser, I check the repository for updates, thus it will be possible to designate contributors who will update the database.

The user interface is written on jQueryUI with plugins. To start using, you need to go to the “Providers” tab - choose the provider whose account you want to keep, and fill out the form.

Encryption level is a setting for freeloaders and paranoids. Level 1 and 2 are not available until you enable “Advanced Security” (you can enable it on the settings tab).

Advanced security provides additional password encryption.
Security level 0 does not provide password security. These accounts can not be viewed in plain text, but the specialist will be able to decrypt them without problems. Passwords are encrypted in the database, the encryption key is also stored in the database.
Security level 1 ensures the security of passwords under certain conditions: do not leave the browser open after entering the encryption key. The encryption key is requested once and stored in the memory of the browser.
Security level 2 provides the highest possible password security. The encryption key is always requested, it is not stored anywhere, it is used only for account decryption and subsequent authorization.

There is also a setting - “use one provider for multiple accounts”. A modal dialog, shading the entire page and showing a list of accounts, the font size adjusts to show all accounts. The informer icon simply appears in the address bar, and only when you click on it shows the account selection menu.

The backup is done by simple serialization of the database to JSON, import, Export to file.

For me, the extension is convenient, I constantly use it. The sources are on GitHub , maybe someone else will come in handy. In the webstore did not dare to lay out, are unlikely to miss with this functionality.