Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Option to only fill the password field?

See original GitHub issue

General information

Operating system + version: Debian Sid
Browser + version: Vivaldi 3.8.2259.42 (Stable channel) (64-bit)
Information about the host app:
- How did you install it? Installed via Debian package manager (webext-browserpass 3.7.2-1+b1) and ran make hosts-vivaldi-user as per instructions
Information about the browser extension:
- How did you install it? Installed via Debian package manager (webext-browserpass 3.7.2-1+b1)
- Browserpass extension version as reported by your browser: 3.7.2

Exact steps to reproduce the problem

Fill in username
Click the BrowserPass extension button
BrowserPass starts filling out login details

What should happen?

If the password file doesn’t contain anything but a single continuous line it’s probably just a password (as generated by pass generate [filename]). There should be an option to respect this behavior. I append _username to the files that actually contain a username (and _seccuritytoken for security tokens, etc.), and most usernames I simply share across multiple sites where I don’t mind connecting the identities (like Steam and GOG). Alternatively don’t fill the username field if it isn’t empty (might cause conflicts with sites that populate the field with “username” until clicked?).

What happened instead?

Depending on the currently set options, the username will either be filled with the filename or the default username. There is no option to only fill in the password field and leave the username field as-is.

Issue Analytics

State:
Created 2 years ago
Comments:13 (2 by maintainers)

Top GitHub Comments

1reaction

eraydcommented, May 18, 2021

There is no option to only fill in the password field and leave the username field as-is.

Browserpass does allow you to set an empty username in whatever file you don’t want a username entered for (see #232). This achieves exactly what you mention above - i.e. it will fill the password, and leave the username field untouched.

0reactions

eraydcommented, Jul 11, 2021

…using pass as the backing password store is an uncommon scenario to begin with

This is why Browserpass exists. To bring a common browser workflow (logging into things with a secure credential store) to a non-browser credential store (gpg files on disk).

I also disagree on that not filling usernames removes much of the utility of a web browser password manager. What you’re describing is a web browser identity manager.

You are arguing semantics, poorly. The primary function for most browser-integrated products categorised as “password manager”, is using saved credentials to log into things. This includes usernames. Whatever you wish to call it, this is very much what Browserpass is intended to do, and what most of our users use it for.

But adding a small checkbox called “Fill username” (checked by default) shouldn’t add much clutter either.

It does, actually - another option is enough to overflow the options viewport on some platforms.

…how common of a use case is it to have the username as the file name?

Extremely common. path/to/example.com/username (with the password on a single line within that file) is the organisation style where that approach is typically used.

Because to me that sounds like encouraging shared passwords across sites, which is a very bad thing security-wise.

No idea where you got this one from, but it’s incorrect. How people choose to organise the layout of their password store has nothing to do with encouraging or discouraging the reuse of credentials.

I suggest you also take a look at our anti-phishing features; while preventing reuse isn’t the primary point of them, it is a handy side effect.

Ultimately, I’m still not seeing a strong argument in favour of adding this option. As it stands currently, there is nothing about Browserpass which prevents a “fill password, then type username” style workflow (which appears to be what you want to do), and there are already existing mechanisms for extracting the first line of a multi-line file.

I am going to close this issue now, as it feels like we aren’t making any progress here towards establishing a good case for it. However, if you do have a strong, compelling argument in favour of adding this feature, please feel free to post it below.