Project

General

Profile

Feature #736

AutoFill issues when using a password manager

Added by JB Hétier 4 months ago. Updated 3 months ago.

Status:
Closed
Priority:
3.x
Start date:
06/07/2021
Due date:
% Done:

0%

Estimated time:

Description

Hello,

I am using a password manager (KeePassDX) that is able to AutoFill password using Android native feature for form login.

Unfortunately it doesn't work well with Privacy Browser. Sometimes I get the AutoFill popup, but more often than not, it simply doesn't come up.

Other browsers I tried work fine (at least I tried LineageOS' default browser Jelly, and Firefox).
Some browsers seem to be facing issues (https://github.com/Kunzisoft/KeePassDX/wiki/AutoFill#web-browser)

I would love it if my go-to browser were compatible ;)


Files

History

#1

Updated by Soren Stoutner 4 months ago

  • Status changed from New to Closed
  • Assignee set to Soren Stoutner

WebView supports autofill in native mode. As you can see, all the browsers based on WebView in the list on the link you shared (Lightning, FOSS Browser) are listed as having native support.

I am doing nothing to prevent autofill from working in Privacy Browser. I also have no way of fixing any autofill bugs, as any problems would exist either in the code for WebView or in the code for KeePassDX's autofill implementation.

I would recommend making sure you have the latest version of WebView installed.

#2

Updated by JB Hétier 4 months ago

I just tried with FOSS Browser and Lightning and it works.
The behavior is indeed different as you can see in the two screen captures. I took motogp.com as an example but it's the same on every site I tried.
I tried switching Privacy Browser to a "light" theme as it was the only obvious difference.

I am sorry insist, but there seems to be an issue in Privacy Browser.

#3

Updated by Soren Stoutner 4 months ago

Looking at the screenshots you posted, I would guess that, at a minimum, you would need to enable JavaScript, maybe enable DOM storage, and possible disable some of the blocklists for the password manager to integrate with the WebView.

Along those lines, I would recommend you read the following URL regarding the negative security and privacy implications of integrating a password manager with a web browser: https://lock.cmpxchg8b.com/passmgrs.html

#4

Updated by JB Hétier 4 months ago

Thanks for the feedback.

Unfortunately, enabling DOM storage and disabling blacklist does not help.

Thanks for the article as well. I am not sure what the best solution is to manage passwords but I feel relatively safe using KeePass. On my computer, I use an autotype feature accessed with a keyboard shortcut. There is no manipulation of the DOM whatsoever, just keyboard strokes. On my phone, I currently have to copy passwords to the clipboard and I feel quite uneasy doing this. The AutoFill feature feels like a good feature to me as it is native, though I am not tech-savvy enough to say if it’s using the Webview trusted UI or if it is interacting with the DOM. However, I know that the password is filled only after an explicit interaction with KeePassDC so I feel the risk of a password leak is somehow limited.

Cookie “pinning” as I suggested in issue #245 (https://redmine.stoutner.com/issues/245) would be a good alternative I guess, as I only interact with less than 10 logged-in websites on a weekly basis, but still, I believe AutoFill would be a great way to improve the process of logging into a website.

#5

Updated by Soren Stoutner 4 months ago

I use KeePass as well, although a different app. However, I feel that integrating a password manager with a web browser is a privacy and security liability, and I am unlikely to spend any time trying to make it work with Privacy Browser.

#6

Updated by JB Hétier 4 months ago

I understand, it’s ok.
Just to be curious, what is your workflow? Do you copy-paste?

#7

Updated by Soren Stoutner 4 months ago

Copy and paste has significant security and privacy concerns as well.

My workflow is as follows on both desktop and mobile.

1. My browser never saves cookies or any login information.
2. I use passphrases instead of passwords. Basically the passwords are sentences. The passphrases are usually something that is easy to remember relating to the website in question. So, for Google, it might be something along the lines of "Google is on the naughty list." Think https://xkcd.com/936/.
3. I rarely need to open my password manager. If I am visiting a website I don't use often, I open the password manager to remind myself what the password is. Then I close the password manager, go back to the website, and type the password.
4. For sensitive webpages that support it, I also use time-based OTP codes, which are calculated using andOTP. https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

#8

Updated by JB Hétier 4 months ago

Thanks a lot. I currently use totally random passwords. I'll consider changing that.

#9

Updated by Soren Stoutner 3 months ago

If you haven't already, you might try enabling screenshots in the settings. I don't know if it matters, but it is possible that autofill requires that other apps be able to see Privacy Browser's screen.

#10

Updated by JB Hétier 3 months ago

Hello,
Thanks for the idea.
I played around with most settings (dark theme, top/bottom URL bar, fullscreen, etc.) without luck.
Strangely the autofill sometimes work. I found that having the database unlocked in KeePassDX helps but still, it's pretty random.

Also available in: Atom PDF