Browser Extension Setup

What the extension does

• One-click autofill on any web form — addresses, contact details, payment methods, identity fields.
• Password autofill on login forms with a credential picker, plus password capture when you sign up somewhere new.
• Passkey provider — the extension can store and use WebAuthn passkeys on sites that support them.
• Gift shopping mode — look up a friend's public profile by handle and fill their shipping address.
• Security dashboard — flags weak, reused, and breached passwords; runs HIBP k-anonymity checks locally.

1. Install

The extension is distributed directly from boxowl.me/download as a zipped Manifest V3 build.

1. Open boxowl.me/download in Chrome, Edge, or any Chromium-based browser.
2. Download the extension ZIP and unzip it locally.
3. Open chrome://extensions, toggle Developer mode, and click Load unpacked.
4. Pick the unzipped folder. The BoxOwl owl icon should appear in your toolbar.
5. Pin it to the toolbar for one-click access.

2. Sign in

1. Click the BoxOwl icon. You'll see a Welcome screen — tap Log In.
2. Enter your email (or handle) and password.
3. If you have MFA enabled, the extension will prompt for your 6-digit authenticator code. If you've lost your authenticator, tap Use recovery code to enter one of your saved codes.
4. The extension is now signed in. The vault stays locked until you set or enter your vault passphrase the first time you save or autofill a password / payment method.

3. Unlock the vault

End-to-end encrypted entries (passwords, payment methods, secure notes) require a separate vault passphrase. The first time you save a password or add a card in the extension, you'll be walked through setup:

1. Pick a passphrase of at least 12 characters. The extension uses Argon2id (m=64MiB, t=3, p=4) to derive your encryption key from it.
2. BoxOwl shows you a 12-word BIP-39 recovery phrase once. Write it down and store it offline. This is the only way to recover encrypted entries if you forget your passphrase — BoxOwl servers never see it.
3. The extension confirms 3 random words from the phrase so you know you saved it correctly.

On subsequent logins, just enter your passphrase. The derived KEK stays in service-worker memory for 15 minutes of inactivity, then locks automatically.

If you set up your vault from the Android app already, use the same passphrase in the extension — the keys are interoperable.

4. Autofill any form

Two ways to fill:

• Click-to-fill: open the BoxOwl popup, hit Auto-Fill Form or one of the category-specific buttons (Address, Contact, Payment, Names, Emails). The extension scans the active page, picks the best vault values, and types them in.
• Inline credential picker: focus a username or password field on any login page. A small overlay appears with matching entries — click one to fill both fields. Keyboard shortcut Ctrl+Shift+L (or ⌘+Shift+L on macOS) opens the picker on the focused field.

For checkout pages, the extension also detects payment-field shapes (cc-number, cc-exp, cc-csc). Pick a card, the popup prompts for vault unlock, and the PAN gets decrypted locally and injected. CVV is asked for transient entry — it's never stored.

5. Save a new password

The extension watches every form submission. If it sees a username/password pair on a page that isn't in your vault, the toolbar badge gets a small dot and a "Save Password" banner appears the next time you open the popup. From there you can:

• Save the captured credentials as-is.
• Edit the label, website, username, or tags before saving.
• Not now to dismiss.

Password-change pages are detected separately. When the extension sees 2+ password fields or a URL like /password, it offers to update a matching existing entry rather than create a new one.

6. Generate a strong password

Inside any password-entry form, click the 🎲 icon next to the password field to open the generator. Adjust length (8–64), toggle character classes, and copy the result. A strength meter gives directional feedback (very-weak → very-strong based on entropy bits).

There's also a standalone Password Generator tile on the dashboard for one-off generation.

7. Import from another manager

The extension can import from 1Password, LastPass, Bitwarden, Chrome, and Safari exports.

1. Export your credentials from the other manager as a CSV.
2. Open the BoxOwl popup, tap Import Passwords, and pick the CSV.
3. The extension detects the format from the column headers, previews the entry count, and shows any rows it'll skip (missing password, etc.).
4. Unlock your vault, confirm, and the import runs. Failed rows are reported individually — one bad row doesn't stop the rest.

The CSV never leaves your device. Encryption happens locally; only the ciphertext is uploaded.

Settings + lock behaviour

From the extension popup > Settings:

• Auto-fill forms on page load — off by default. When on, identifiable forms get filled automatically without a click.
• Show notifications — on by default. Disable to silence the post-fill toasts.
• Default fill mode — Auto-detect vs Click-to-fill.

The vault auto-locks after 15 minutes of inactivity by default. The timer resets on every successful vault operation. You can lock manually any time from the password-list screen.

Troubleshooting

• Picker doesn't appear on a login form — Make sure the extension is signed in (the popup should show your email). Check that the page is HTTPS; the extension refuses to autofill credentials on plain HTTP.
• "Wrong passphrase" — Try your BIP-39 recovery phrase from Recover Vault. If you've never set one up, you've lost access to E2EE entries; they can't be recovered.
• Autofill picks the wrong field — Open the popup and use a category-specific button (e.g., Fill Address) instead of Auto-Fill Form. The category buttons skip the heuristic match step.
• Passkey prompt fails on a website — The extension's MAIN-world bridge requires document_start injection. Reload the page and try again; if the site uses an iframe, the parent frame is what we hook.