I'm writing an Chrome extension right now which autofills credentials similar to Chrome's autofill (in which case Chrome's autofill fails).

Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won't the key be locally stored as well effectively making the encryption useless?

Effectively, I want the user's credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.

EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?

This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome's would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It's difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where "properly" means "resistant to a password-recovery utility that anyone can download from the internet."

You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS's keychain.

As far as i know, local storage is not a secure place for storing the password, or other sensitive details. Check out the link below, one of the person has commented of using the javascript 64 bit encoding and deocding scheme but i dont how far that method will prove to be useful for what you are trying to achieve.

https://getsatisfaction.com/apperyio/topics/how_to_save_account_password_securely_on_local_storage

Hope this helps!