Integrated Browser Passwords

A password manager for the VS Code Integrated Browser. It fills your logins into pages, hands you two-factor codes, and keeps an encrypted vault that rides Settings Sync between machines - so signing in stays inside the editor, where you already are.

Install

Open the Extensions view in VS Code (Ctrl/Cmd+Shift+X), search for Integrated Browser Passwords, hit Install - or grab it from the Marketplace.

A Browser Passwords key icon shows up in the Activity Bar. Click it, pick a master password, and you have a vault.

How it works

Your logins are encrypted with a key derived from your master password (scrypt) and sealed with AES-256-GCM. Only the ciphertext is stored - in the integratedBrowserPasswords.vault setting - so it syncs across your machines like any other setting, while staying useless to anyone who reads it. The master password is never written down or synced; if you forget it, the vault cannot be recovered.

Each machine can optionally remember the unlocked key in its own OS keychain (via VS Code's secret storage, which does not sync) so you are not retyping the master password every session. The vault re-locks automatically after a configurable idle time.

A rolling history of backups - encrypted snapshots of the vault - is kept in VS Code's synced storage, so a recent version is always recoverable, even from another machine.

Using it

Set up the vault

The first time you open the sidebar you'll be asked to choose a master password. Pick something you'll remember; there is no reset. After that, the sidebar shows your logins. If you open VS Code on another machine that's signed in to Settings Sync, the vault comes with it - you just unlock it with the same master password.

Add a login

Click the + at the top of the sidebar (or Add login when the list is empty). Fill in a name and, ideally, the website - that's what's used to match pages later. Add a username and password, generate a strong password with the Generate button if you like, and optionally paste a two-factor secret. Save.

Folders

Click the new-folder button at the top of the sidebar to create a folder, then drag logins onto a folder's header to file them there - or drag them onto the General header to take them back out. Drag a folder's header onto another folder to move it inside, or onto General to bring it back to the top level. Folder headers collapse, show how many logins are inside (counting subfolders), and right-click for Rename Folder, New Subfolder, and Delete Folder. Folders nest as deeply as you like; deleting one removes its subfolders too, but the logins that were inside stay in your vault, just ungrouped. The General group that holds ungrouped logins can be renamed too - right-click its header and choose Rename - it's just called "General" until you do.

Searching and sorting

The toolbar above the list has a search button that shows or hides the search bar; the bar has match case and use regular expression toggles inside it, like the editor's find widget. The sort button next to it picks whether the list is ordered by name, website, or username, ascending or descending. Both stay the way you left them.

Autofill in the Integrated Browser

Open a site in the Integrated Browser and click into its username or password field. If you have a matching login, a small dropdown appears below the field; pick the entry and the username and password are filled in. If the page also has a one-time-code field and the login carries a two-factor secret, that's filled too.

Sign in to a site with credentials that aren't in your vault yet and you'll be asked whether to save them.

Two-factor codes

Any login with a TOTP secret shows its current code in the list, with the seconds left before it rolls over. Click the copy button to put the code on your clipboard, or let autofill drop it into the page for you. Secrets can be a plain base32 string or a full otpauth:// URI (the digit count, period, and algorithm in the URI are honoured).

Copy things out

Every login has copy buttons for the username, the password, and the current two-factor code - handy for the odd page that autofill can't reach, or for pasting somewhere outside the browser. Right-click a login for the same actions in one menu, plus opening its website, editing, and deleting.

Trash

Deleting a login - with the trash button on its row, the Delete item in the right-click menu, or Delete in the edit form - moves it to the Trash view rather than removing it. The Trash view is a section in the Browser Passwords sidebar, below the login list. Hover a trashed login for its Restore and Delete Permanently buttons (or right-click it for the same), and use Empty Trash in the view's title bar to clear the lot. The two permanent deletes ask for confirmation; moving something to the trash doesn't, since it's a click away from being restored. Anything left in the trash for 30 days is removed automatically, on every machine.

Backups

The Backups view (a section in the sidebar, below the trash) keeps a rolling history of vault snapshots. A new one is taken automatically whenever your logins, folders, or trash change, and Backup Now in the view's title bar takes one on demand. Each backup is an encrypted copy of the vault - ciphertext only, like the live vault - and the history rides VS Code Settings Sync, so it follows you between machines. Right-click a backup for:

• Restore Backup - asks for that backup's master password, confirms, then overwrites your current logins, folders, and trash with the snapshot.
• Restore From File... - picks a .json file written by Export Backup (it has to be one) and restores from it the same way.
• Export Backup - saves the snapshot to disk as a .json file you can keep elsewhere.
• Delete Backup - drops that snapshot from the history.

How many backups to keep is the integratedBrowserPasswords.backupCount setting (default 10; 0 turns backups off).

Change your master password

Open the settings menu (the cog at the top of the sidebar) and choose Change Master Password. You'll be asked for your current password, then a new one; the vault is re-encrypted on the spot and re-synced. The new password works on every machine once the change syncs over.

Import passwords

From the settings menu, choose Import Passwords... and pick a CSV file exported from another browser or password manager. The column layout is detected automatically - Chrome, Edge, Brave, Firefox, Safari / iCloud Keychain, Bitwarden, LastPass, KeePass, and most other CSV exports work. You'll see how many logins were found and which format was recognised before anything is added; your existing logins are left alone and exact duplicates are skipped.

Most browsers export from their password settings (e.g. Chrome: chrome://password-manager/passwords -> the three dots -> Export passwords); the macOS Passwords app exports from File -> Export.

Export passwords

From the settings menu, choose Export Passwords... to write your logins to a Chrome-compatible CSV file (name,url,username,password,note) - the same format Chrome, Edge, and Brave import. The file is plain text and not encrypted, so you're warned first; delete it once you've moved your logins. Two-factor secrets aren't part of the Chrome format and aren't included in the export.

Lock the vault

Click the lock icon at the top of the sidebar, run Browser Passwords: Lock Vault, or just walk away and let the idle timer do it. Locking clears the decrypted vault and any remembered key from this machine.

Settings

Commands

• Browser Passwords: Add Login
• Browser Passwords: New Folder
• Browser Passwords: Lock Vault
• Browser Passwords: Change Master Password
• Browser Passwords: Import Passwords...
• Browser Passwords: Export Passwords...
• Browser Passwords: Backup Now
• Browser Passwords: Restore From File...
• Browser Passwords: Empty Trash
• Browser Passwords: Extension Settings

Security notes

• Autofill only ever sends a password to a page after you explicitly pick that login from the dropdown; the page can't enumerate your vault.
• Login matching is by host name (including sub-domains), so a saved github.com login is offered on github.com and gist.github.com, but not on look-alike domains.
• The vault is decrypted in memory only while unlocked. Anyone with access to the running VS Code process could read it then - the same trade-off every password manager makes once you unlock it.

Support

If this is useful and you'd like to support its development, you can buy me a coffee on Ko-fi - always optional, always appreciated.

Contributing

npm install
npm run watch        # rebuild on change

Press F5 to launch an Extension Development Host. Handy scripts: npm run typecheck, npm run build, npm run build -- --production, npm run release (type-checks and packages a .vsix).

The extension host lives in src/ (vault crypto in src/crypto/, the CDP autofill layer in src/autofill/), the React webview in webview/, shared types in shared/. esbuild.js bundles the host, the webview, and the in-page autofill script, and copies the codicon assets into dist/.

Changelog

See CHANGELOG.md.

License

MIT - see LICENSE.