Storing user login/password input in a Greasemonkey script on install

by

Here is a framework for getting and storing login credentials. The script prompts for the information on the very first run and stores it, encrypted, using GM_setValue().

It also adds two items to the Greasemonkey context menu to allow changing the username or password.

// ==UserScript==
// @name     _Autologin, sensitive info framework
// @include  http://YOUR_SERVER.COM/YOUR_PATH/*
// @require  http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
// @require  http://crypto.stanford.edu/sjcl/sjcl.js
// @grant    GM_getValue
// @grant    GM_setValue
// @grant    GM_registerMenuCommand
// ==/UserScript==

var encKey  = GM_getValue ("encKey",  "");
var usr     = GM_getValue ("lognUsr", "");
var pword   = GM_getValue ("lognPwd", "");

if ( ! encKey) {
    encKey  = prompt (
        'Script key not set for ' + location.hostname + '. Please enter a random string:',
        ''
    );
    GM_setValue ("encKey", encKey);

    usr     = pword = "";   // New key makes prev stored values (if any) unable to decode.
}
usr         = decodeOrPrompt (usr,   "U-name", "lognUsr");
pword       = decodeOrPrompt (pword, "P-word", "lognPwd");


function decodeOrPrompt (targVar, userPrompt, setValVarName) {
    if (targVar) {
        targVar     = unStoreAndDecrypt (targVar);
    }
    else {
        targVar     = prompt (
            userPrompt + ' not set for ' + location.hostname + '. Please enter it now:',
            ''
        );
        GM_setValue (setValVarName, encryptAndStore (targVar) );
    }
    return targVar;
}

function encryptAndStore (clearText) {
    return  JSON.stringify (sjcl.encrypt (encKey, clearText) );
}

function unStoreAndDecrypt (jsonObj) {
    return  sjcl.decrypt (encKey, JSON.parse (jsonObj) );
}

//-- Add menu commands that will allow U and P to be changed.
GM_registerMenuCommand ("Change Username", changeUsername);
GM_registerMenuCommand ("Change Password", changePassword);

function changeUsername () {
    promptAndChangeStoredValue (usr,   "U-name", "lognUsr");
}

function changePassword () {
    promptAndChangeStoredValue (pword, "P-word", "lognPwd");
}

function promptAndChangeStoredValue (targVar, userPrompt, setValVarName) {
    targVar     = prompt (
        'Change ' + userPrompt + ' for ' + location.hostname + ':',
        targVar
    );
    GM_setValue (setValVarName, encryptAndStore (targVar) );
}

// ADD YOUR CODE TO SET THE USERNAME AND PASSWORD ON THE LOGIN PAGE, HERE.

Important:

  1. Logging in with a userscript always carries risk.
  2. This framework greatly reduces that risk, but the storage mechanisms available to Greasemonkey and Tampermonkey are not secure and browser vendors CYA against storing confidential information. If a bad guy gets both your userscript and your browser data, then he can reverse engineer your password. Of course if he has that, he’s most likely pwned one of your machines anyway.
  3. The smart thing to do is to use a password manager like LastPass, KeePass, etc.
  4. The absolute worst thing to do, is to store credentials in a userscript itself. Even a guest can see them then and you will be “hacked”, guaranteed.

More Related Contents:

  1. Choosing and activating the right controls on an AJAX-driven site
  2. jQuery in Greasemonkey 1.0 conflicts with websites using jQuery
  3. Run Greasemonkey script on the same page, multiple times?
  4. How to get an AJAX get-request to wait for the page to be rendered before returning a response?
  5. Can a website know if I am running a userscript?
  6. How to use greasemonkey to selectively remove content from a website
  7. Simulating a mousedown, click, mouseup sequence in Tampermonkey?
  8. Userscript to wait for page to load before executing code techniques?
  9. How to change a class CSS with a Greasemonkey/Tampermonkey script?
  10. Save images to hard disk WITHOUT prompt?
  11. Detecting combination keypresses (Control, Alt, Shift)?
  12. How to exclude iframe in Greasemonkey or Tampermonkey?
  13. How to override the alert function with a userscript?
  14. Add a JavaScript button using Greasemonkey or Tampermonkey?
  15. How do I get Greasemonkey to click on a button that only appears after a delay?
  16. Accessing Variables from Greasemonkey to Page & vice versa
  17. How can I intercept XMLHttpRequests from a Greasemonkey script?
  18. Detect iFrame embedding in Javascript
  19. Injecting JS functions into the page from a Greasemonkey script on Chrome
  20. How can I detect visited and unvisited links on a page?
  21. UserScripts & Greasemonkey: calling a website’s JavaScript functions
  22. “getElementById not a function” when trying to parse an AJAX response?
  23. How to simulate typing in input field using jQuery?
  24. Why doesn’t document.addEventListener(‘load’, function) work in a greasemonkey script?
  25. How can you determine the file size in JavaScript?
  26. Closure in Javascript [duplicate]
  27. How do I click on this button with Greasemonkey?
  28. Watch for element creation in greasemonkey script?
  29. Chrome userscript error: “Unsafe JavaScript attempt to access frame”
  30. Error: Permission denied to access property ‘handler’

Leave a Comment