I've used this for a long time, and along with its Git integration (pushing/pulling to/from a repository on my own server, accessed over SSH) and a GPG key stored on a Yubikey Neo, I've got basically seamless sync between two laptops, a desktop and an Android phone, without using any third-party service.
The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.
I've got the same setup, it's pretty great. One thing, though: make sure you have another way of decrypting your passwords! I lost my Yubikey once, and I lost all my passwords. Now I have a copy of that key on a USB drive I keep at home in a small safe.
What's the best way to backup the private key on your yubikey? Do you just generate it on your computer instead of on your device, and then back that up?
Generally a good way to do this is via GPG subkeys. You keep your master/certifying key offline, in your safety deposit box, and load a subkey onto your Yubikey. If the Yubikey is lost, you can easily revoke the subkeys and generate new ones.
Thanks for the link. I started reading through that, and it is quite involved. I'm still deciding if it's worth it.
I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.
Yes -- revocation is just an indicator of the subkey's trust going forward. Once revoked, the user would generate a new subkey and re-encrypt their password wallet. While the git features and multi-key capabilities of pass lend well to very lightweight team usage, the model is definitely best suited for use by an individual.
Sorry, to clarify, you need to keep a backup of all subkeys along side your master/certifying key. Data encrypted to a given subkey can only be decrypted by that same subkey.
Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.
Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)
The only problem I got with the password store application is that the Git integration seem to be a bit broken.
It often refuse to push, pull or sync depsite having no conflict.
But you just have to delete the store and pull everything again, so it's not a huge problem.
I don't think the git integration can be broken. You can go into the ~/.password-store directory yourself and see what is going on next time you have issues (it's just a regular git repo).
I have the same setup, but I haven't yet been able to get the Yubikey Neo to work as a GPG key on android via NFC. It prompts for a PIN, but the PIN I use for GPG on linux isn't accepted. There's also no working windows client for this setup, so I find I have to manually copy a lot of 20 character complex passwords by hand these days.
I recommend using Pass or Keepass, because we can see the source code. But like all these password managers, you need to synchronize your password vault.
If you do not want to synchronize your vault among all your devices, but still want to have a unique password per site, try LessPass[1]. LessPass is a stateless open source password manager.
Lesspass seems nice but how about keeping all passwords in a .txt file and password protecting that file?
One benefit of the password-protect-text-file method over Lesspass is you can also save answers to so-called "security questions" (for those sites that still use them, like Paypal and government sites).
Alternatively, one can use Schneier's write-down-password-on-a-small-piece-of-paper method.
This method works very well. I have one large text file containing all my credentials, stored in a an encrypted VeraCrypt file.
I have all this stored in my Linux box. I backup to my server side encrypted AWS S3 bucket protected with 2FA. No need for me to sync anything, but if I need access to my VeraCrypt file, I can download it when required.
I've used this method for two decades now, first using OSX .dmg files, then TrueCrypt, now VeraCrypt. Simple, and works well.
I suppose the main pain with this method would be accessing the passwords on other devices. For example, I'd prefer to be able to copy/paste password on my phone, instead of referring to another computer and typing it in one random character at a time.
https://ss64.com/pass/
Is similar to LessPass but is entirely javascript in the browser, so you can save the page and run a local copy completely offline or upload to your own website. Theres also a command line version for both bash and PowerShell https://ss64.com/pass/command-line.html
This is pretty brilliant. My biggest concern is that if my password for a site gets compromised, it gets a lot more complicated. Presumably I'd have to memorize a separate master password for retrieving the new password for that site.
But once you did that it wouldn't be stateless anymore as you'd need to connect to their server every time to check on the state of that site's password. This makes it not that much different from traditional online managers where you have to connect to the site to retrieve the password.
There is still the benefit that the passwords can't be exposed by a compromise of the service. Presumably it doesn't store your master password anywhere, so all they'd get is the site and counter info.
You also have the option save this profile db locally, or store it yourself manually in a txt file if you really care. That's also necessary if a certain site has password restrictions.
But then you have to remember the counter setting for that website. So it's almost the same problem; I could just add a 1 to the end of my master password for that website.
I've just installed it and haven't yet used it, but as far as I can tell from the docs, the counter is stored as part of the syncable profile for a site.
The profile is also used to store other site-specific attributes, like if it has some weird password rule that requires pure alphanumeric or a specific password length.
No, the counter would be saved by LessPass. Every time you look up the password for that site, it'll already know what the counter is set to for that site.
This blog post[0] shows how LessPass lets you change passwords per site, and get around tricky password requirements.
Not at all. While Masterpassword does not save any passwords but generates it based on some unique parameters live - pass stores passwords and notes encrypted with GPG in a git repository.
The list differences to LastPass is long.
Pass is OpenSource. Pass doesn't store your information on anybody else's computer by default. Pass has not first party browser plugin and is therefore not open to attack through browser plugin holes.
On the other hand you control everything by yourself including batch updating your passwords. And there's no online service.
I use KeePass and I only keep the database on my phone. When I need the database on my laptop, I use kdeconnect to share the file. Which basically uses sftp with a temporary key.
There is no need to put anything on someone else's computer.
Pass is pretty awesome, but nowadays I've switched to gopass: https://github.com/justwatchcom/gopass - much better support for teams, structured secrets, binary secrets and quite a few other improvements. Oh, and it's (mostly) drop-in compatible.
Looks nice. Unfortunately I would never use it for teams as it doesn't have audit logs. These are very useful in case a user is compromised - you can lookup which passwords he accessed and only change those. Same goes if the user left the team and u want to make sure all accesses are revoked.
My impression of Vault is that it is more useful for automated situations. How useful is it as a shared password manager? Do you have non-technical folks using it? And if so, how are they interacting with the vault?
No purely non-technical individuals as far as I know, but there are a number of non-developer analysts using it who wouldn't otherwise have much exposure to a console. The flexibility of the access policies and the ability for users to easily/securely share secrets under a path with only their team and be able to have multiple policies for multiple teams all under one roof far outweighs any minor struggle during initial adoption.
Sounds like a great idea for a side project. Build a user friendly interface that leverages a remote vault server on the backend. It's primary use case if definitely for applications.
There are a handful of web-based UIs that have been built. And I believe Hashicorp offers one with their enterprise product. But from what I can gather they all still have a bit more of a learning curve than your average password manager.
Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?
Yep. Or saves the plaintext of the password elsewhere after using it once for a "legit" use.
Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.
Thats the whole point of audit logs. You lookup the passwords he accessed and only rotate those (vs rotating all of team's shared secrets because you dont know which ones he used/saved/etc).
You're missing the point. The software has no way to tell if a compromised user looked at certain passwords out of band. The audit logs aren't guaranteed to be complete, so you should rotate every key they could have accessed anyway.
No it actually is not the whole point. Security is never convenient. If you do not have an active password rotation automated for all accounts, even shared, then you should be more worried about an employee reporting you to compliance officers. #justsaying
Huh? Its not reasonable to expect automated password rotation for all shared secrets, especially for external services that a team could use. Some passwords will always need to be rotated manually.
Thats why password managers that do support audit logs (normally) do not provide this kind of mechanism of manually decrypting the file. The only way of accessing passwords would be through whatever interface they came up with.
The password manager of course does not "provide" such a mechanism (I imagine providing a "bypass audit logs" button would not be a popular feature). But if you know the key (the master password, or some derivative of it) and you have the ciphertext then you will be able to get the plaintext.
The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.
The whole point of the discussion was to highlight a feature that I was missing here - ability to audit who accessed what.
There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.
I use pass and love it. It provides a lot of flexibility. To fix the "website metadata is leaked in filenames" issue, I use another project by Jason, ctmg[0]. I changed the pass directory to be one directory deeper, encrypted it and just do `ctmg open` when I boot to open my password list (similar to unlocking a keypassX store) then use pass as normal. On shutdown, the opened folder is re-encrypted automatically. You could also set a ctmg close on a timer if you don't want the list to be available during your entire session after open.
Other things I do:
* store all the files as .toml files so I can rip specific keys with a custom script.
* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.
* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.
Since pass supports extension, you can make your setup less complex using pass-tomb. 'pass-tomb' keep the whole tree of password encrypted inside a tomb, see https://github.com/roddhjav/pass-tomb
Nice to hear somebody out there is using ctmg. I never bothered making packages for distros other than Gentoo, but ctmg is quite useful so maybe I'll do that.
Cheers.
Yeah for sure, I was too lazy to make a PR on nixpkgs, but this[0] is what I wrote if anyone stumbles on this using NixOS. The nix package manager can be installed on top of most OS's too.
Syncthing has a mobile app and there's an app for pass called PasswordStore[0] using OpenKeychain[1] (pgp manager). I'm not a fan of putting my private key on my mobile, but if I were, this would be a nice setup.
Note that pass was developed (and is maintained) by Jason Donenfeld (zx2c4), the same person who developed Wireguard, the new VPN protocol.
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
GPG is FIPS 140-2 compliant (though pass itself might not be, depending on the specific way it's used). Most likely pass would have to use GPG in a specific FIPS-compliant mode to pursue validation.
GPG has a FIPS mode that will use FIPS 140-2 primitives.
But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.
I mount my pass dir with encfs. Mount when I need access to passwords, and no need to remember to close it before I shut down (or if the machine randomly crashes).
I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.
That seems like saying why use an encrypting password manager at all if you're using full disk encryption, isn't it okay to just keep your passwords in plaintext on your encrypted disk?
Encryption only protects files at rest. The vast majority of attacks are against live systems connected to a network, where full disk encryption won't help you one bit. It is a nice extra layer of protection for when a device is lost/stolen, but I don't consider it a primary form of protection for any important data.
Check out pw, my alternative to pass, designed because of the reason you mentioned: I don't want my password manager to leak the list of services I use.
In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.
The file format is git-compatible and everything can be managed with standard command line tools.
It's not. When you decrypt one file you have all of your passwords in-memory (terminal, clipboard, browser extension, qtpass). When you do that for one login/password pair you only expose that pair, not all of the others.
When you decrypt, you have the key in memory in either case. Assuming you don't put all the password into an untrustworthy output (terminal, clipboard, etc), what's the difference ?
With all the discussion about 1password and its decision to "more or less" move to the web and a subscription based model, I had a TODO to look at what the open source community had; especially regarding browser plug-ins, mobile apps, etc. I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.
This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.
> I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.
Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.
I wish people would pay pass (or some other auditable open source software team) for this sort of thing instead.
The situation is particularly painful for security critical software like password managers and disk encryption. Commercial software could be keeping a rot-13 copy of the database on an anonymous ftp server for all I know (or, worse, be written for a leaky JavaScript sandbox).
The open source stuff generally stalls out after the first 90% of the functionality is there, and the second 90% of the work remains.
I haven't used the iOS client, but on Android the most common way to sync is to use your own Git repository accessed over SSH. You could use a private GitHub repo or one on your own server.
same on iOS it authenticates to your git repo either with password or SSH key. The only "complexity" in setting the app up is giving your public and private GPG keys to the iOS app (you can transfer them using itunes - there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials)
> there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials
Search for qr on the python package index using pip. There's a module that you can pipe text to and then it'll render a qr code in your terminal using Unicode glyphs. Worked well last I tried. Don't remember what the module was called but you'll be able to find it I som sure.
I love Pass, but the problem I've had is that I always feel like I have to spend a bunch of time setting it up when I'm on Windows.
I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.
That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.
It's somewhat easier with Bash on Ubuntu on Windows, tho kinda broken (because the copy to clipboard feature doesn't work out of the box unless you're running an X server).
But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.
With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.
the nonexistent browser support makes it even more troublesome to setup. there is some support on linux systems, but windows is plain out of luck
i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.
Please understand that browser integration is the Achilles' Heel of password managers. While you get the convenience of autofill, you're also bringing access to your password database into the browser's attack surface. Bugs in the browser sandbox or improper extension implementations can allow rogue sites to get the goods. There have been multiple instances of major password manager extensions leaking secrets just in the last year.
Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).
I agree that browser integration is troublesome. To circumvent having to use a browser extension I use rofi-pass[0] which is a external script (using rofi/dmenu and pass), so no browser integration. But it features autofill which is extremely convenient.
yes, as i said before. there is some support for linux systems. i'm using both linux and windows as well as android. my password manager will need to support and autofill on all environments with at least firefox and chrome.
pass got linux covered (both chrome and firefox), but doesn't really work for winndows.
android is really tiresome as well, as there is no way to skip my long masterpassword in favour of a fingerprint. I know, its not easy to implement that feature securely.
Browser integration just means you trust the plugins that provide browser integration. May not always be secure. With the recent trend of popular browser extensions being made adware after purchasing them I wouldn't always trust them. A time out clipboard is sufficient for me.
How does this compare to other popular solutions? Specifically, KeepassX / Keepass2 which are the most common solutions I've seen most Unix / Linux users employ. Can we objectively state which one is a better solution?
So it does, yes. I forgot about that, since I needed to write my own wrapper to paste both username and password (stored on separate lines) anyway. Thank you for the correction, I'll update my post.
There is also QtPass (GUI around pass), and various browser extensions (e.g. BrowserPass).
Of course one has to set it up, it's not an integrated solution. But GPG provides interesting features like storing encryption keys on hardware devices. Some devices like Yubikeys can have touch-to-use enabled. So each use of a secret requires a touch (after PIN but that's once a session). Perfect combination of convenience and security for me.
Pass encrypted passwords are kept in your computer, which I find safer than web based solutions. Optionally you can use git to share passwords between computers but you still need the gpg2 keys from the original repo.
It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).
The clipboard's biggest vulnerability is the user themselves, but most password managers automatically clear their own entries after a customizable timeout.
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
It's trivial to script if you want (either by modifying the rather simple pass script itself or by wrapping around it).
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
I think the point in discussions like these is, what is the alternative? Ie, add value to the discussion, not argue over semantics. Arguing that everything (or this thing) sucks is.. non constructive. What do you see as better alternatives?
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
> so you know and trust every piece of software that is running on your machine?
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
I'm not particularly worried about other applications on my computer listening to the clipboard. But I 99% of the time I'm pasting into a webpage in Chrome or Firefox. Can any open tab sniff the clipboard passively?
No, webpages get to the contents of clipboard only after explicit user interaction.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
But I ended up storing everything into one single encrypted file, rather than having one file per password. Though I see the point about the UNIX philosophy (i.e. "everything is a file"), but that way you'd leak information, i.e. what the passwords stored are for.
You miss the point. Having multiple files is not a matter of Unix philosophy. Pass works with GPG keys... Multiple of them! The pass repository is to be shared among your team, so every file can be encrypted for a different, specific set of keys/users.
I've seen pass mentioned like a million times but I didn't realize there were so many third party extensions for it, the comments here are pretty helpful. Thanks for the submission!
I've been using pass for a long time now. I have over 200 passwords stored.
I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).
I use Git; pass has integration with it out of the box (makes a commit for each change to the password store). I just push and pull periodically myself, but this could be automated. There is an Android app called Password Store that is compatible with pass and has Git integration built in.
I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.
I use Dropbox but I also use git-remote-gcrypt[0] to encrypt the entire Git repo so that even the file names and sub-directories don't leak outside any of my computers or devices.
As others have mentioned, git / dropbox works well for this.
But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).
I use pass on all my devices. IOS, chromebook and cli. I freaking love it! passforios is still on testflight but so good. Only a few issues with passforios:
- It forgets my github password everytime i upgrade
- I honestly don't like the fact that I can't turn off the pin. 4 digits with unlimited retries.
- It can't merge sometimes. I think they should be more aggressive about git rebase
You should be able to generate an SSH key that you can use in your application, right?
If you can't that's definitely gotta be an issue in their backlog. Seems more robust to have a key for an application to connect with that you can simply revoke.
I'm currently a Lastpass user. I know, trusting them to store my passwords is probably not a great idea but it works on Windows, macOS and Linux and my iPhone with no problems at all.
Would I like to move to something that isn't stored online? Yes, of course but I haven't found a decent solution that works everywhere.
I think pass is awesome if you have the workflow that supports it, but for the vast majority (myself included) it's entirely too difficult to setup and maintain. Particularly if you're using Windows regularly.
Setup is a bit of a pain, but what workflow is required? I just keep a Cygwin window or a Bash on Ubuntu on Windows window open and tab over when I need a password. With the shell auto-completion I find it easier to use than other password managers, tho I prefer not using my mouse so I'm surely biased about that aspect.
I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.
The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.
Well, I'm talking from a non-developer perspective. I don't use Git daily, so I had to stand up my own Git instance or pay Github for a private repo.
PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.
Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.
I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.
I use a 'remote' repo in Dropbox (and I use git-remote-gcrypt so that the remote repo is fully encrypted, i.e. even file and directory names), so you don't strictly need your own server.
I've been using this for a while and am very happy. Especially the ability to use a private git repository for synchronization of laptop and desktop makes this convenient.
If your master password leaks you are exposed on every website where you used this scheme (and you should then change every password), so on the security side this is inferior to a master password granting access to uncorrelated passwords.
By the way, I'd prefer to have a password manager on my phone (or smartwatch), and have it beam my password to my keyboard by NFC. But this solution does not exist yet.
As the other commenter pointed out, you need to carry your salt with you to deduce the actual password. On top of that, you need to keep your salt secret, otherwise it is trivial to deduce your password. So your system [password = hash(master password, salt, domain)] is exactly the same as a master password protecting several other ones. Just use your salt as a password directly at this point...
Such ideas are already implemented in deterministic password managers (erm generators) which have a some key security issues related to portablility and weaker schemes that can be hacked and if your master password is compromised or insecure. A bad idea in my opinion.
Yes, I do something like this, along with storing the password requirements and username/domain in localStorage and allowing it to sync between devices: https://webpass.rkeene.org/
What about websites that require to have special characters in your password, since the hash is just HEX?
What about multiple accounts on the same website, same password?
Hash value is just a value picked out of some domain. For most hashes this domain is Z_{2^n} with n usually divisible by 8. It is then convenient to represent that as hexadecimal number, but there is nothing special about that particular encoding. For purpose of generating secure password you can even use said hash as seed for CSPRNG and then use it for FIPS 181 random password generator algorith or something similar.
Well, I guess if you had no master password, any script you expect people to run could have a surreptitious "pass <some args> | curl" to post password data to some web service of your choosing.
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
Pass doesn't handle your "master password" at all, it's completely delegated to GnuPG (pass is really nothing more than a shell wrapper your file system, GnuPG, and Git). Does GnuPG let you easily get away without a password on your key, I don't remember ATM.
It's completely possible to setup `pass` such that you can type `pass <name>` and it will print the password to stdout (you might has to pass an extra parameter or so) without ever asking the user to input anything to confirm they approve of this action.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.
The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.