-
add-url-to-window-title
A Firefox addon which will put the web page address (URL) into the window's title. Useful for customizing KeePass's auto-type
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
kr-u2f
Discontinued DEPRECATED A Browser extension that lets you use your phone as a U2F/WebAuthN Authenticator for strong, unphishable 2FA.
-
bitwarden
Discontinued Bitwarden client applications (web, browser extension, desktop, and cli) [Moved to: https://github.com/bitwarden/clients]
> another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar https://github.com/erichgoldman/add-url-to-window-title
Instead of modifying the browser title, I use AutoTypeSearch plugin for Keepass, that opens a dialog allowing me to suggest entries in case of no matches.
There is also another plugin that allows search using both URL and title -- "WebAutoType".
These two plugins together make the Keepass experience almost seamless.
The built-in browser password manager is the only one that ever made sense for me. You want the machine to verify the domain for you so you don't enter your credentials into some other site (no copying and pasting) and all third-party scripts are always clunky.
I use Firefox with Lockwise[1] for Android and pass[2] as overflow for more involved secrets. This is a solo solution though that doesn't solve sharing these secrets with others.
[1] https://www.mozilla.org/en-US/firefox/lockwise/
[2] https://www.passwordstore.org/
I do not use a browser-based password generator, because of the Javascript insecurity issues. I use a shell script, with a small C program to handle the core cryptography, to generate secure passwords.
I run the password generator in a terminal window, then copy and paste the password in to the site I am trying to log in to.
It’s a fairly complicated shell script, since it also has to deal with nonsense like stupid arbitrary password rules (e.g. Southwest considers an underscore to be a letter, and insists at least one non-letter non-number punctuation is in a password; some places require a password to be 8 characters or shorter; etc.) and also provides login information so I can also remember my username.
As recently as 5 or 6 years ago, there were issues with websites which wouldn’t let you copy and paste a password in to their password field; Firefox has always had a “ignore any Javascript which stops pasting” special rule in about:config I had to use. I haven’t seen one of those in a while; developers finally got a clue and realized that password managers exist.
One weakness this setup has is that anyone with the “master key” can get all of the password generated by the password generator. My workaround is to use a separate master key in a virtual machine for critical passwords, such as online banking ones.
Shameless plug time:
https://github.com/samboy/PassGen/
I was curious about that, so I looked into it; KeePassXC is having some mixed messages about it:
https://github.com/keepassxreboot/keepassxc/issues/1870 says "awesome!"
https://github.com/keepassxreboot/keepassxc/issues/1996 says "go away"
and I can't figure out what is going on with https://github.com/keepassxreboot/keepassxc/issues/3560
They reference https://github.com/kryptco/kr-u2f in one of the issues, but it was bought by Akamai and the code was never under an open source license to begin with :-(
I was curious about that, so I looked into it; KeePassXC is having some mixed messages about it:
https://github.com/keepassxreboot/keepassxc/issues/1870 says "awesome!"
https://github.com/keepassxreboot/keepassxc/issues/1996 says "go away"
and I can't figure out what is going on with https://github.com/keepassxreboot/keepassxc/issues/3560
They reference https://github.com/kryptco/kr-u2f in one of the issues, but it was bought by Akamai and the code was never under an open source license to begin with :-(
Ah, it looks like they've fixed that bug, then. It used to be that regardless of your autofill setting, basic auth would be presented; this was because the browser API requires basic auth to be non-interactive and an arbitrary decision has to be made.
From what I can see, this issue was till being reported in April[0] but perhaps it's been patched in the mean time. The devs were been going back and forth about this so long that I stopped paying attention to the issue after a while.
[0]: https://github.com/bitwarden/browser/issues/1408