Integrated Browser Passwords

A password manager for the VS Code Integrated Browser. It fills your logins into pages, hands you two-factor codes, and keeps an encrypted vault that rides Settings Sync between machines - so signing in stays inside the editor, where you already are.

Install

Open the Extensions view in VS Code (Ctrl/Cmd+Shift+X), search for Integrated Browser Passwords, hit Install - or grab it from the Marketplace.

A Browser Passwords key icon shows up in the Activity Bar. Click it, pick a master password, and you have a vault.

How it works

Your logins are encrypted with a key derived from your master password (scrypt) and sealed with AES-256-GCM. Only the ciphertext is stored - in the integratedBrowserPasswords.vault setting - so it syncs across your machines like any other setting, while staying useless to anyone who reads it. The master password is never written down or synced; if you forget it, the vault cannot be recovered.

Each machine can optionally remember the unlocked key in its own OS keychain (via VS Code's secret storage, which does not sync) so you are not retyping the master password every session. When the vault isn't remembered, it re-locks automatically after a configurable idle time; when it is, it stays unlocked across windows and restarts until you lock it explicitly.

A rolling history of backups - encrypted snapshots of the vault - is kept in VS Code's synced storage, so a recent version is always recoverable, even from another machine.

Using it

Set up the vault

The first time you open the sidebar you'll be asked to choose a master password. Pick something you'll remember; there is no reset. After that, the sidebar shows your logins. If you open VS Code on another machine that's signed in to Settings Sync, the vault comes with it - you just unlock it with the same master password.

Add a login

Click the + at the top of the sidebar (or Add login when the list is empty). Fill in a name and, ideally, the website - that's what's used to match pages later. Add a description (it replaces the username under the name in the list when set), a custom icon (any image, resized to 32x32), a username and password, generate a strong password with the Generate button if you like, and any extra fields (text notes, recovery codes, two-factor secrets, API keys). Save.

Extra fields

Every login can carry an unlimited number of extra fields. Each has a name, a type (Text, Password, or MFA code), and a value. They appear in the row's right-click menu as Copy <field name>. The first MFA field shows inline under the password with its live code and countdown; the rest are hidden behind an Extra fields toggle at the bottom of the row.

When a login has more than one MFA field and autofill needs to fill a one-time-code field, a small picker drops down over the field listing each code with its name and live countdown - click one to fill.

Folders

Click the new-folder button at the top of the sidebar to create a folder, then drag logins onto a folder's header to file them there - or drag them onto the General header to take them back out. Drag a folder's header onto another folder to move it inside, or onto General to bring it back to the top level. Folder headers collapse, show how many logins are inside (counting subfolders), and right-click for Rename Folder, New Subfolder, and Delete Folder. Folders nest as deeply as you like; deleting one removes its subfolders too, but the logins that were inside stay in your vault, just ungrouped. The General group that holds ungrouped logins can be renamed too - right-click its header and choose Rename - it's just called "General" until you do.

Searching and sorting

The toolbar above the list has a search button that shows or hides the search bar; the bar has match case and use regular expression toggles inside it, like the editor's find widget. The sort button next to it picks whether the list is ordered by name, website, or username, ascending or descending. Both stay the way you left them.

Autofill in the Integrated Browser

Open a site in the Integrated Browser and click into its username or password field. If you have a matching login, a small dropdown appears below the field; pick the entry and the username and password are filled in. If the page also has a one-time-code field and the login has exactly one MFA field, that's filled too; with more than one, a picker dropdown shows over the code field so you can choose.

Sign in to a site with credentials that aren't in your vault yet and you'll be asked whether to save them. When existing logins on sibling subdomains of the same registrable domain (e.g. mail.google.com while you're on www.google.com) share the username, you can pick which one to update or save a new login.

Two-factor codes

Add a two-factor secret as an extra field with type MFA code - a plain base32 string or a full otpauth:// URI (the digit count, period, and algorithm in the URI are honoured). The first MFA field on a login shows its current code inline in the list with a countdown; copy it from the row's button or the right-click menu, or let autofill drop it into the page for you.

Passkeys

The Integrated Browser has no built-in WebAuthn support - VS Code denies the webauthn permission on its embedded webcontents, so sites that ask for a passkey just abort. This extension fills that gap by replacing navigator.credentials.create and get with a software authenticator that mints, stores, and signs with keys held in the vault.

When a site offers to register a passkey, a small picker appears over the page asking which existing login to save it on (or to create a new one for the site) and what to call it. Confirm and the passkey is stored as a passkey-typed extra field on the chosen login, alongside your password if you had one. ES256, RS256, and Ed25519 are all supported, picked from the algorithms the relying party asks for.

When a site offers a passkey sign-in, a similar picker lists the stored passkeys that match it. Click one to sign in; sibling subdomains of the same registrable domain match the way autofill matches a saved login. Turn off integratedBrowserPasswords.passkeys.promptOnUse to skip the picker for sign-in and always use the most recently used matching passkey instead.

A key icon next to a login's name marks logins that hold a passkey. Expand the row to see each passkey with its name and created / last-used dates, with a button to delete it; the same items also appear in the right-click menu. Passkeys can be removed from the edit form too, but not added there - registration only happens through a real create() ceremony in the browser. Keys ride VS Code Settings Sync along with the rest of the vault.

Passkey support can be turned off entirely from the integratedBrowserPasswords.passkeys.enabled setting - useful if a site's WebAuthn implementation does something we don't handle and you'd rather it just fail.

Copy things out

Every login has copy buttons for the username, the password, and the first MFA code - handy for the odd page that autofill can't reach, or for pasting somewhere outside the browser. Right-click a login for the same actions in one menu, plus opening its website, copying any extra field by name, editing, and deleting.

Trash

Deleting a login - with the trash button on its row, the Delete item in the right-click menu, or Delete in the edit form - moves it to the Trash view rather than removing it. The Trash view is a section in the Browser Passwords sidebar, below the login list. Hover a trashed login for its Restore and Delete Permanently buttons (or right-click it for the same), and use Empty Trash in the view's title bar to clear the lot. The two permanent deletes ask for confirmation; moving something to the trash doesn't, since it's a click away from being restored. Anything left in the trash for 30 days is removed automatically, on every machine.

Backups

The Backups view (a section in the sidebar, below the trash) keeps a rolling history of vault snapshots. A new one is taken automatically whenever your logins, folders, or trash change, and Backup Now in the view's title bar takes one on demand. Each backup is an encrypted copy of the vault - ciphertext only, like the live vault - and the history rides VS Code Settings Sync, so it follows you between machines. Right-click a backup for:

• Restore Backup - asks for that backup's master password, confirms, then overwrites your current logins, folders, and trash with the snapshot.
• Restore From File... - picks a .json file written by Export Backup (it has to be one) and restores from it the same way.
• Export Backup - saves the snapshot to disk as a .json file you can keep elsewhere.
• Delete Backup - drops that snapshot from the history.

How many backups to keep is the integratedBrowserPasswords.backupCount setting (default 10; 0 turns backups off).

Change your master password

Open the settings menu (the cog at the top of the sidebar) and choose Change Master Password. You'll be asked for your current password, then a new one; the vault is re-encrypted on the spot and re-synced. The new password works on every machine once the change syncs over.

Import passwords

From the settings menu, choose Import Passwords... and pick a CSV file exported from another browser or password manager. The column layout is detected automatically - Chrome, Edge, Brave, Firefox, Safari / iCloud Keychain, Bitwarden, LastPass, KeePass, and most other CSV exports work. You'll see how many logins were found and which format was recognised before anything is added; your existing logins are left alone and exact duplicates are skipped.

Most browsers export from their password settings (e.g. Chrome: chrome://password-manager/passwords -> the three dots -> Export passwords); the macOS Passwords app exports from File -> Export.

Export passwords

From the settings menu, choose Export Passwords... to write your logins to a Chrome-compatible CSV file (name,url,username,password,note) - the same format Chrome, Edge, and Brave import. The file is plain text and not encrypted, so you're warned first; delete it once you've moved your logins. Text-typed extra fields are merged into the note column; MFA and password-typed extra fields aren't part of the Chrome format and aren't included.

Lock the vault

Click the lock icon at the top of the sidebar, run Browser Passwords: Lock Vault, or just walk away and let the idle timer do it. Locking clears the decrypted vault and any remembered key from this machine.

Settings

Commands

• Browser Passwords: Add Login
• Browser Passwords: New Folder
• Browser Passwords: Lock Vault
• Browser Passwords: Change Master Password
• Browser Passwords: Import Passwords...
• Browser Passwords: Export Passwords...
• Browser Passwords: Backup Now
• Browser Passwords: Restore From File...
• Browser Passwords: Empty Trash
• Browser Passwords: Extension Settings

Security notes

• Autofill only ever sends a password to a page after you explicitly pick that login from the dropdown; the page can't enumerate your vault.
• Autofill matching is by host name (including sub-domains), so a saved github.com login is offered on github.com and gist.github.com, but not on look-alike domains. The save prompt is wider - it also offers to update saved logins on sibling subdomains of the same registrable domain (computed against the Public Suffix List).
• Passkey ceremonies are gated on the same registrable-domain check, so a page on evil.com cannot mint or use a passkey scoped to bank.com. Cross-origin iframes are rejected - a real authenticator only accepts a top-level browsing context unless the embedder grants publickey-credentials-get, and we apply the stricter rule.
• The passkey picker is rendered in the page's own DOM (same trade-off as 1Password and Bitwarden's browser extensions). A real platform authenticator like Touch ID gets an OS-level UI a malicious page can't draw over; this one doesn't. Passkey private keys never leave the extension host - the in-page shim only sees the final attestation or assertion.
• The vault is decrypted in memory only while unlocked. Anyone with access to the running VS Code process could read it then - the same trade-off every password manager makes once you unlock it.

Support

If this is useful and you'd like to support its development, you can buy me a coffee on Ko-fi - always optional, always appreciated.

License

MIT - see LICENSE.