I just had to use the Password Manager for a project I was working on, so I thought I'd braindump my notes to the wiki while I was at it. This code is tested, but barely, and I am by no means an expert on this area. Review and cleanup would be appreciated. Zachlipton 22:52, 18 July 2006 (PDT)

The code on this page will work with applications using Toolkit 1.8 and below such as Firefox 2.0.0.x and Thunderbird 2.0.0.x. For similar functionality in Toolkit 1.9, see Using nsILoginManager.

Working with Password Manager

Extensions often need to securely store passwords to external sites, web applications, and so on. To do so securely, they can use nsIPasswordManager, which provides for secure storage of sensitive password information.

Getting nsIPasswordManager

To get a component implementing nsIPasswordManager, use the following:

var passwordManager = Components.classes["@mozilla.org/passwordmanager;1"]

Storing a password

To store a password in the password manager, you need three things: a hostname/URL (you'll need this to retrieve the password again later), a username, and a password. Of this information, the password is the only data that will be stored securely. Adding a password to the password manager is easy:

passwordManager.addUser('host', 'username', 'password');

Since there's no provision to include names of HTML input fields, no password stored by this interface will be used to fill in passwords on web pages. nsILoginManager, available in Toolkit 1.9, does let you include input field names.

Retrieving a password

Retrieving a password from the password manager is more difficult. The example below should serve as a starting point:

// the host name of the password we are looking for
var queryString = 'http://www.example.com';
// ask the password manager for an enumerator:
var e = passwordManager.enumerator;
// step through each password in the password manager until we find the one we want:
while (e.hasMoreElements()) {
    try {
        // get an nsIPassword object out of the password manager.
        // This contains the actual password...
        var pass = e.getNext().QueryInterface(Components.interfaces.nsIPassword);
        if (pass.host == queryString) {
             // found it!
             alert(pass.user); // the username
             alert(pass.password); // the password
    } catch (ex) {
        // do something if decrypting the password failed--probably a continue

Note that the user will be prompted for their master password if they have chosen to set one to secure their passwords.

Removing a password