I've been using pass for several years now and I recommend it to my friends, but I usually get weird looks when I say I store my passwords in a git repo (it's not as bad as it sounds!). Here's why:
- I host my git repo on my desktop computer (through SSH), so it's not exposed anywhere except if you have SSH access to my computer. (A lot of people seem to think git = GitHub which is not true). So if your git repo is not exposed to the public, you don't leak any of the site names/usernames you use.
- The passwords are GPG encrypted so even if it were leaked that would be okay as long as my secret key remains secure.
As far as usability goes, I usually use the -c option to copy/paste my passwords. I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me. Syncing with my phone and Linux devices works perfectly (since it's just git).
The Windows client seems to be no longer maintained [1], so I would like better support here for my Surface. But this is still okay since I can SSH to my desktop computer from Windows and copy/paste the passwords from there.
I'm glad it's working well for you. I used to use pass, but when I lost my gpg key I was able to recover most of my passwords through a mistake I'd made. After that I decided to switch to something where I wouldn't be able to screw up as easily, and bought 1password.
I still had an earlier gpg key, and had not reset all my passwords when I switched keys. I'd just re-encrypted them. This let me check out an old commit and decrypt all the passwords in it. A dumb mistake, but it showed me I'm not smart enough to use something that doesn't hold my hand more.
Really good point that you can’t change a password on something if backups exist - because they backups still have the old password. Would apply to 1Password vaults backed up by TimeMachine too.
It's worth mentioning though that your repo could leak metadata about what accounts you have, and your username, depending on how you name your pass entries (ie. you can mitigate it by adopting a more cryptic naming scheme for sensitive entries). Just something to be aware of, it may not matter for your use case. Bitbucket still offers free private repos, which I use for my password store.
The android app allows one to use OprnKeychain, so I can use my gpg key on my yubikey to both authenticate the SSH session to do git pulls and decrypt individual secrets.
git push. The Android app works with git repos from SSH. I also use Wireguard since I run my SSH server behind the VPN, but this is obviously optional since you can just expose your SSH server to the internet.
Ah, there is an Android app [1] which you sync the passwords to and it basically presents a list of all your websites. To use a password: tap on the website name, unlock your GPG key, and then see your password and put it in your phone's copy/paste buffer.
This is correct. Pass can only copy it in the paste buffer for 45s.
The command has a nice auto completion and search feature. And calling it without arguing give you a list of all the name of the key you have in a tree view.
I really enjoy using that little utility since I would say 4 or 5 years.
Termux[0] does supports gpg and pass but no yubikey by default, but okc-agent[1] is a third party binding of OpenKeyChain, providing barebones gpg via yubikey. I use this to decrypt passwords via NFC:
Slightly OT but this is yet another example of why Termux is the killer app for Android. I didn't use to think there was much difference between iOS and Android until I discovered Termux.
The Password Store app delegates key management to another app. I use OpenKeychain [1] for this. I believe OpenKeychain supports Yubikeys, but I haven't used that feature myself so I can't speak about how well it works.
It supports PGP keys stored on yubikeys via OpenKeychain. There's talks of removing support for OpenKeychain in lieu of a homegrown implementation since OKC develoent has lost velocity. And their library interface can be a bit cumbersome.
Yubikeys that can do gpg are $40 or so and have lots of other uses.
Iirc, ssh can now do file encryption with FIDO2 keys; these are $10 or so.
Definitely worth buying a pair if you are worried about security (both Trojans, where local encryption at rest can be defeated, and losing your device where it is not)
> I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me.
One danger of doing just copy and paste is that you are more exposed to phishing attacks. The browser extension for the password managers check that the site that they are filling in is indeed the site that they stored the password for.
We made an extension for encpass.sh (similar in some ways to pass) that stores secrets in Keybase (https://github.com/plyint/encpass.sh/blob/master/extensions/...) if that sort of thing is of interest to you. Outside of personal secrets, it can be used as a sort of low cost stand in for shared secrets that you might use something like Vault for in a team environment.
That's interesting. I started storing my dotfiles repository in Keybase. There's not any secrets in there really other than how my home directory is setup but I figured there's no reason I couldn't keep my AWS keys and ssh key pairs in there too.
> I usually use the -c option to copy/paste my passwords
In X11 it's also possible to get passwords typed automatically with xdotool, which I call through an xmonad package. The only thing I'm missing is more powerful autocompletion.
Thanks. There wasn't any manual page or --help output, so I gave up on it, but now this may be the best option I know of. But, yeah, I could have just `cat /bin/passmenu`.
* It leaks meta-data. That might sound a con, but in exchange you get the ability to extract a password without decrypting and thus exposing other passwords. There is isolation.
* It’s more convenient than a single file password manager. You type ‘’pass -c goo’’ for your Google account, instead of clicking on your password manager, typing password, searching in data base, finding the right entry, copying password or pressing auto complete and closing the database. The combination of mouse and keyboard can make alternative password managers slower.
* You don’t need your master password to add a new password (it uses asymmetric encryption).
* You can easily program it, eg, write a backup script that grab a password from store.
* It uses GPG which means your secret key can be stored on Yubikey, handled by a dedicated agent. Your password is basically a short PIN with max 3 tries. This is unparalleled convenience and security!
* It’s secure, because it’s a short bash script that you can check, and delegates encryption to a dedicated well-audited cryptographic tool.
* You can encrypt to multiple keys, thus use it similar to LUKS that supports multiple passwords.
* GPG is usually widely available, so you can decrypt a password on another system on which you may not admin rights to install your password manager.
There might be few cons though. For example, if you store your database on a cloud, say, Dropbox, Dropbox could switch your Dropbox.com file with google.com file, and you copy and hand over your Google password to Dropbox. But this is hypothetical for most of us! Also, some people don’t like metadata (filenames) leakage, though apparently there are solutions for that.
Overall it’s very convenient and functional. I highly recommend it.
> There might be few cons though. For example, if you store your database on a cloud, say, Dropbox, Dropbox could switch your Dropbox.com file with google.com file, and you copy and hand over your Google password to Dropbox. But this is hypothetical for most of us!
Before I became aware of Pass, I wrote essentially the same thing, but in Python.
Fast-forward a decade or two, and my wife uses a password manager that got deleted from the Apple AppStore, and iPhone backups just contain pointers to the app to install upon backup, not the actual binaries. So my wife had her password database, but no password app. I did a bunch of research on password database formats, and this is recognized as a pretty common vulnerability.
Pass allows you to add arbitrary metadata, so I suggest adding the domain (or better yet, the login URL) as the second line in the encrypted file. I made this automatic/mandatory in my home-spun Pass-alike.
What you probably want is a signature. Since pass can be a git repo, you could use git to sign your commits [1]. But you'll have to remember to check the git commit signatures or automate checking it somehow.
Restricting to a git repo and making sure to check that the commit is signed and there's no diff to current would work, but it's easier to just put the login URL (or at least the domain) as the second line of the encrypted file (Pass allows arbitrary metadata).
OpenPGP (GPG / etc.) use a MAC on the file, so an attacker can't modify the encrypted file and still get it to decrypt (at least without some flag to ignore broken MAC). An attacker could create a new password file for you for their domain, but then they'd have to make up a random password for you that's not going to match your FriendFace/Congo/Vigintillion password.
It makes me slightly weary, as those sorts of things can have unintended consequences. For example, there was a soc
al engineering exploit where someone would call into Amazon and add a credit card to an account they didn't own. They would then call right back and request a new email added to the account and use the freshly added credit card as authentication.
They could then use your Amazon account, or use the real card associated with the account as authentication for something else
Password managers that use authenticated encryption are not vulnerable to such attacks. Well, it's more a hypothetical attack, in practice you're more likely to get a keylogger.
I'm not sure what you mean by authenticated encryption. I'm assuming you just meant single key encryption.
My question is if those are really on a different set of math, as my understanding was that they were not, all told. If you can bust public/private key encryption, you can typically bust all encryption. Is that not necessarily the case?
Pass uses public key to encrypt files, an attacker needs to know only the public key to forge pass files, and that public key isn't secret, it's stored in plain, unencrypted, that's why you can create pass files without entering master password that protects private key which is not used to create pass files. That's the catch with asymmetric encryption.
It's not a certainty of abuse, only uneasiness about technical feasibility. Historically abuse of forgery was clever and unpredictable, as a result design of cryptographic systems tries to prevent forgery when possible. A hypothesis: pass prints text from decrypted file to terminal, terminals have rich functionality, legacy features and wide attack surface, so text printed to terminal is an attack vector.
And convenient. The only minor road block I sometimes encounter is when a website has dumb rules for password. I have to generate a auto one. Then edit it manually to make it comply to « no @ in password » or whatever dumb stuff like that
Many password managers allow most of things, so I'm not convinced. I'm using keepassxc, which surprisingly does not get much publicity here on HN.
> Here are some of the pros of the Pass:
> * It leaks meta-data. That might sound a con, but in exchange you get the ability to extract a password without decrypting and thus exposing other passwords. There is isolation.
I still consider leaking metadata a more serious potential for issues, than having to decrypt the whole database. Also you say extract the password without decrypting, you still need to decrypt the password.
> * It’s more convenient than a single file password manager. You type ‘’pass -c goo’’ for your Google account, instead of clicking on your password manager, typing password, searching in data base, finding the right entry, copying password or pressing auto complete and closing the database. The combination of mouse and keyboard can make alternative password managers slower.
When I use keepassxc I can easily use the libsecret command line, no gui involved (except for opening the dB). By using the secret store integration I also don't interact with the password manager directly most of the time. It gives me the password for git repositories over https, WiFi passwords, my VPN password and ssh is done via the ssh-agent integration, while för the browser there is the plugin.
> * You don’t need your master password to add a new password (it uses asymmetric encryption).
Except as pointed out by someone else, all your old entries are still only encrypted by the old password.
> * You can easily program it, eg, write a backup script that grab a password from store.
This is easy as well via libsecret integration in other password managers
> * It uses GPG which means your secret key can be stored on Yubikey, handled by a dedicated agent. Your password is basically a short PIN with max 3 tries. This is unparalleled convenience and security!
I admit that can be a an advantage, but I don't think I would use it much. If I need to enter a password on the go, I would always use the phone app.
> * It’s secure, because it’s a short bash script that you can check, and delegates encryption to a dedicated well-audited cryptographic tool.
I don't think this argument is convincing. Security is complex and there have been plenty of cases of some tool using known secure components and still messing things up. I'm not saying this is the case here though.
> * You can encrypt to multiple keys, thus use it similar to LUKS that supports multiple passwords.
What's the use case for this?
> * GPG is usually widely available, so you can decrypt a password on another system on which you may not admin rights to install your password manager.
Many password managers work as static binaries AFAIK, so you could just carry that around on your USB stick.
> There might be few cons though. For example, if you store your database on a cloud, say, Dropbox, Dropbox could switch your Dropbox.com file with google.com file, and you copy and hand over your Google password to Dropbox. But this is hypothetical for most of us! Also, some people don’t like metadata (filenames) leakage, though apparently there are solutions for that.
> Overall it’s very convenient and functional. I highly recommend it.
> A pass extension that obscures the filenames and folder hierarchy within your password store.
> pass-code generates random filenames for each file in the password store and keeps the mapping in an encrypted file. This way, no valuable information is accessible even if your password store is leaked to the public (unless your GPG private keys were also leaked). Nevertheless, you should always ensure proper protection of your password store.
You'd have to manually look up the entries in a lookup table to resolve obfuscated names back to readable names... Or upstream support for whatever format is devised. I dunno.
I haven't used this app, but if the issue is a binary file where the app is expecting plain text, you could base64 encode your file. Maybe with some dummy password data. Then your arbitrary encrypted file is just another line in the plain text file.
A common way to use `pass` is to store things like `organization/domain/username` so for example it might be `goldmansachs/github.com/alphacoder` which is telling us that you do some work for Goldman Sachs who store stuff on Github and your username is alphacoder.
I don’t really see the implication.
Also, it’s would be trivial ( or not too hard ) to wrap the whole thing in another layer of encryption. Like a Vera crypt.
But wait, actually I don’t really see what’s leaking. The name of the file that store the encrypted password ?
I use pass for exporting secrets to environment variables. I have a multi-line password called "envvars" that contains a script like this:
#!/usr/bin/fish
set -x PASSWORD hunter2
set -x PASSWORD_STG hunter3
set -x LUGGAGE_KEY 12345
set -x TOKEN (curl "https://api.example.com/oauth/token" \
--data-urlencode "username=$USERNAME" \
--data-urlencode "password=$PASSWORD" | jq --raw-output .access_token)
set -x TOKEN_STG (curl "https://api-stg.example.com/oauth/token" \
--data-urlencode "username=$USERNAME_STG" \
--data-urlencode "password=$PASSWORD_STG" | jq --raw-output .access_token)
When I want to set the environment variables I run `pass show envvars | source` and it sets the environment variables for the current shell. It's an easy way to keep the secrets out of my shell history and plaintext files.
very nice. ive been setting up a post install script the last while and something like this would be very useful for logging into some desktop apps automatically
There are a number of ways to integrate it into rofi too, so with the press of a few keys I can navigate to any site and login instantly.
To squash a few concerns:
- Leaking data - If someone types "pass" in your terminal it will show a list of sites that you've stored. I don't find this any less obvious than if someone had LastPass installed on their machine.
- Trusting different app developers - This can be true, but if you stick with the CLI then there's only one app to trust - and one person! You don't rely on a company to safegaurd your data, you trust yourself.
YMMV, thoughts are my own. I happen to very much enjoy pass and I think others might too if you like owning your own data.
> If someone types "pass" in your terminal it will show a list of sites that you've stored.
This is not really any different from Keychain on a Mac. I don't really see it as a major downside.
If someone's logged into the computer as you, you're already hosed, and this is hardly the first place they're going to look to get a list of websites you've visited.
But that's not the concern, anyone who gets their hand on your passwordstore (encrypted) gets the same information. That is not the case with a format that stores your password in one big database.
The implications can be quite significant, because if I get my hands on your store, I might find out that you are User xx on yy which I can then use to try to compromise via social engineering (or it might has a known exploit) and use that as a springboard for other sites that I know from your pass store.
What people mean by leaking metadata is if you sync over git or dropbox you also leak the metadata to them. Whereas with 1password or something like it the sync server only sees an opaque blob.
I don't use pass myself (I have severe NIH[1]), but its design has inspired me many times over: very, very few tools rise to the challenge of adhering to the Unix philosophy without cargo-culting it, and pass is one of them. I highly recommend that people looking to write engineer-friendly tools study its manpage[2].
Similarly, I wrote "hunter2" [0] to manage my passwords, for places where I'm still forced to use passwords. Although I didn't know of "pass" when I wrote it, it accomplishes the same goals. One difference is that it doesn't rely on PGP keys but just uses bare RSA keys from a smartcard. This is because the vast majority of authentication systems I work with use an X.509 certificate with an RSA key pair, hardly anything uses a password any more (since doing so requires a lot of paperwork).
I use pass as my general purpose personal secret management system. It synergizes very well with direnv, another one of my favorite tools. Using bash substitution, you can set a per-directory environment variable to the output of a pass command. This way you never have to have unencrypted secrets sitting on your dev machine.
I manage multiple machines, and while ssh-agent forwarding is easy to use, a lot of people don't know about gpg agent forwarding. It's a bit fiddly, but it allows you to store all your secrets encrypted on your remote machines and have your gpg agent sitting on your personal machine.
I sorta wish it had different encryption backends, gpg is a bit long in the tooth. But it works just fine.
Great tool. For those of you who want to set up `pass` on your Android phone, here are my rough notes on how I did it. Apologies, they are rough:
- install Password Store on Android phone
- import remote repo using ssh
- in my case, I was able to generate a new ssh key for my Android phone from within the Password Store app
- I “somehow” sent this to myself and added on my github profile settings (from my laptop)
- I was able to import my repo and see all my password names!
- still need my GPG key to unlock the password. For this I needed to install OpenKeychain on my android phone
- then somehow need to import my GPG key from my laptop to my phone
- followed this to create the key file, knew most already: https://medium.com/@johnnymatthews/import-a-gpg-key-onto-your-phone-7dbadf16fefa
- couldn’t find a cable to connect to USB! Turns out if you connect to your phone by bluetooth, in Ubuntu it’s pretty easy to send a file from the Bluetooth settings menu. Finding the file on my phone was another challenge! Turns out it’s stored in a “pixel 3a > bluetooth” folder in the files browser
- imported file into OpenKeychain!
I love that using my gpg key still required my passphrase (only in my head!).
Don’t forget to delete the gpg key you exported on your laptop and your phone! Security of this? Not sure.
And voila! I can now see my `pass`words on my Android phone!
Used KeePass and pass in the past. KeePass is nice, but has much more features than I really need. I wanted something lighter and simpler, so I migrated to pass in 2015. Even though it is nice that it relies on tools like gpg and git, it complicated things more than not. It is (was?) hard to use on every OS except Linux. And in addition to backing up the database, the gpg key now needs to be backed up, too. Password management is messy.
When searching for alternatives, I found the concept of stateless password managers. Proprietary cloud solutions are off the table for me. Because I travelled a lot in 2018, a new criterion emerged: How does bootstrapping work? How do you get any password from the database on a device that you do not own? This is obviously difficult with a traditional approach. I quickly migrated most important logins and never look back!
Besides storing passwords, a password manager should also help using them. KeePass provides Auto-Type for this. Eventually, most passwords will be used in the browser. Having a compatible browser extension became a must. Copy-pasting is a dealbreaker, because every application can read the clipboard! Most desktops support text drag and drop and on mobile, the application should provide a custom keyboard or accessibility feature.
In the meantime, I am using my own browser extension and wrote a converter plugin for KeePass to occasionally copy them (for convenience only) to my mobile. Typing the master password is cumbersome, so I use a random file (one of the dozens) in the Downloads folder as keyfile. In case of emergency or for bootstrapping, there is a web app.
If you can stomach some more features, KeePassXC is well-maintained and has an excellent browser extension as well as FDO secret service integration on Linux for CLI access via secret-tool.
I wrote a pass-like password manager that's built using a layered architecture and one of the lower layers basically fits your exact use-case! The three layers that make up the password manager are:
- securestore - An encrypted file store
- vcstore - A version controlled file store
- pass - Password manager functionality
Each layer builds on the last, so in your case, you could just use the vcstore layer directly without the password manager functionality. I wrote a blog post on it[1] if it sounds interesting.
I've been using this with a modified version of the example passmenu script, enhanced with:
* ability to store/retrieve additional YAML metadata like username, e-mail, etc.
* pre-selection of entries by looking at URL and focused form field (this needs the add-url-to-window-title browser extension)
So in most cases I press a keybinding which invokes passmenu, and then just press enter as the correct entry and field (password/username) is already selected. Quite handy.
I've used pass for a while, but I switch to bitwarden, since it has official apps for all platforms. Also with bitwarde I only have to trust them, with pass I have to trust all the different app developers.
I've developed `prs` as `pass` alternative. It fixes many annoyances for daily use. It provides automatic syncing between multiple devices through git, supports multiple keys and many other things. It simply uses your existing `pass` store.
It is a file-based key-value store, where only the values are encrypted[1], with GPG to make it worse. For these reasons, I moved to KeePassXC. It is cross-platform, has a nice Qt GUI and you don't have to resort to hacks to have several values associated with a single key (i.e. not just password, but also username and others).
> resort to hacks to have several values associated with a single key (i.e. not just password, but also username and others).
What hacks? Just add the username/whatever under the password.
Pass only uses the first line in the file as the password when you do `pass -c` to copy to clipboard. So you could write a whole book in there if you want.
Pass for iOS also displays those values in a nice list with titles if you write the extra fields as "key: value"
Unless you need multiple concurrent writers or some kind of RBAC it's going to be really hard for anything to beat the KP database just because it already takes into things like that into account, along with optional entry history, arbitrary associated values, etc.
Been using it both with computers/phones and via programmatic access on cloud storage for years.
Because you still need to manage your GPG keys with an obscure CLI. When I last switched computers, I tried just copying my "~/.gpg" directory. Didn't work. GPG was confused, produced even more confusing messages, which didn't really help me understand what the problem was. I needed to google for the right incantation of commands to export my keys from one computer and import them on another. Compare that to what you have with KeePassXC: switching computers? Just copy this single file and everything will just work.
And I don't want to know if I'm holding GPG right. I just want the tool to work for my specific case. But GPG wasn't designed specifically with this case in mind, so, as usual, it will be terrible. It tries to be too many things.
It's simple file format let to build different interfaces to access the same files. I prefer gopass (https://www.gopass.pw/) as user interface as it have a few extra features that makes it a bit more confortable.
I love the idea of Pass, but from what I've seen of the UX (not talking looks) it doesn't really compare to the ease of use of products like 1Password (which I suspect was the catalyst for this being reposted). Does anyone have any contrary experiences when shared across iOS, Linux, and macOS devices + browsers?
I really like pass, but I switched to Bitwarden for this reason. Bitwarden has first party support everywhere I need it. Pass has clients everywhere, but other than the CLI I have not been impressed.
My almost 70 years old dad uses Pass for iOS in his everyday life. He does not have a clue about what's going on under the hood (gpg, git, my instance of gitea where it pushes to, me being able to intervene or fix stuff from somewhere else than his phone, etc.), but thats fine for both of us. He even complained, when I suggested to try Nextcloud Passwords because he might understand better what's going on there. So I guess in terms of UX this is a positive example.
QtPass was descent last time I tried it but I'm not sure if it has been updated recently. Not really much need to have a separate GUI though when there are browser extensions like Browserpass.
I don't use Windows, but I very easily use pass across multiple Linux, Mac, and Android devices. Sometimes I forget to git push something, but that's pretty rarely an issue for me. Set up requires a bit more work than 1Password, etc. but I still think it's pretty easy to set up.
On my computer, I actually like the UI more than anything else because I use ZSH completion for pass and FZF for history search and thus copying any password is just like 5 keystrokes on average.
I'm a LastPass user contemplating a switch. Your article doesn't say why I should switch. You mention "more control", and that's my thinking as well, but it just appears... not worth it to switch for something so nebulous? Perhaps I'm too lazy?
My own reason was mostly, that do to the dance with mobile; non-free/free/non-free, I thought it was about time to look into self hosting. The post is not really meant to convince you, just that it's definitely doable, with a bit of effort.
To backup the passwords a copy of ~/.password-store/ is enough, but to completely recover, a backup of the gpg keys is also required. What's your strategy for this? Do you just backup the entire ~/.gnupg/ directory?
I use passphrase2pgp[1] so I can recreate my GPG key anywhere. I need to remember three pieces of information:
- passphrase (long sentence, but it's easy to remember)
- uid (Name <email> - easy)
- timestamp (10 digits - kinda hard to memorize but you can have it noted is plain text since it's not sensitive information)
I have my key on multiple devices (e.g. my phone where I use the Password Store app). Then I have backups of the key as .asc on USB drives as well as printed on paper at two different physical locations.
It's an amusing reference to the cheeky line from the historic Unix man page for `ed`; "the standard Unix editor".
RE: who decided.. well, the presence of `ed` was a requirement for an OS to be accredited as POSIX-compatible, so that's presumably why `ed` decided to describe itself as 'the standard'. But `ed` fell so far out of favor once screen-based editors (`vim`, `emacs`, etc) became commonly available that the "the standard" line which continued to hang around in ed's documentation became a bit of a Unix in-joke.
The modern GNU version of the `ed` tool describes it as "line-oriented text editor" instead of as "the standard Unix text editor". And only briefly mentions the old phrase in an apologetic explaining why that old phrase was used in the past.
So the short version of the answer: it's not. It's an in-joke which is attempting to draw to mind a comparison of this software against older, simpler Unix tools like `ed`. Which IMHO is totally valid, if you say pass is to lastpass as ed is to vscode. Simpler tool, possibly easier to use for keyboard-focused folks, focuses on doing just one thing and doing it well, etc.
I love the simplicity of Pass, but I wanted just a few more features, like being able to store (and retrieve) extra data easily. Unstructured data below the initial password wasn't really enough for me.
I ended up taking huge inspiration from Pass, but writing my own implementation[1] with a few more features that increased it's usefulness for my use cases.
I posted it a while ago on here[2] and Reddit[3], but it basically stores each entry as a Bash script, which gives it so much flexibility: auto-typing, references, multiple fields, executable functions, etc. I also wrote a blog post on it[4].
I'd be interested to hear what people think of if if anyone did/does end up giving it a go.
In my pass files, I put the password as the first line, optional username as second line, then I format the rest of the file as a YAML doc. So you can decrypt the file, scan for the first "---" and then everything after that is YAML (or multiple YAML docs if you have more "---").
I just use Syncthing on .password-store to provide me with protection of metainfo and access on my various devices. Since the store is just a bunch of files it just works.
A well praised password manager that unfortunately will never be useful for the non-tech people, at least for me. I saw so many wonderful reviews, recommendations and reports about the simplicity of using it. And the level of excitement from the reviewers made me think I should try it as soon as possible. But with only basic-medium Linux skills I will never be able to install pass. I looked everywhere for step by step tutorials on how to run it, but there‘s always a „skipped“ step or a small „something“ that will lead me to failure (despite of spending hours in searching how to do this part). Unfortunately I had to give it up and started to use bitwarden.
Same with etesync - no way to use it, even the paid version with hosting on the developer‘s server gave me a hard time. I could never use it right: android, iphone or macos. So back to Apple‘s calendar or some other easy alternative.
Ah… :-(
It took me way too long in life to finally start using a password manager (a few years ago). Pass was what finally convinced me. Seldom is a tool perfect, but pass is pretty damn close to!
Same. My previous solution --- LUKS container mounted from a file with just directories and plaintext files in it --- was pretty secure too but pass is really convenient in comparison.
I'm currently playing with integrating bitwarden self hosted into my flow, eyeing a switch, but it's way more complicated to understand than pass...it does not make it easier to trust it.
Interesting to see this come up. I wrote about using pass to authenticate to Docker inside of an alpine linux docker container last summer[1]. It was quite the undertaking to get it all working. The premise was to figure out how to securely log authenticate to docker, potentially in a CI type system.
I let Firefox save a lot of passwords, and for those that require more; I have one encrypted Linux volume on my computer. In that volume, name of file is name of service or website, and login and pass are written however.
To speed things up a tad, I have a custom command that points fzf with preview to it, with a little oath2 script in the preview to handle 2FA.
I've been hearing stuff lately about how I should perhaps be concerned when copy-pasting? But for now, these feels pretty good.
might be weird, i use this app to encrypt things to a file and use google drive to the store encrypted file. it work well for me as i constantly switch computers and do not trust cloud vendors. So even google account might leak out, without password, data wont be compromised
They at least offer local network syncing, instead of requiring a cloud account (which is a deal breaker for me). This lets you keep your passwords in sync between your Computer (master) and mobile devices without them ever leaving your home.
All that does of course still require trust in the company, but at least not in their cloud infrastructure and, well, the internet...
# pipe an arbitrary file into pass
cat ~/Desktop/test-image.png | pass insert -m test-image
# get the arbitrary file out of pass
pass show test-image > /tmp/test-image.png
Question for HN... is there a project that anyone knows of, that is using Age instead of GPG as the encryption for Pass? I’ve seen a few implementations of it, but nothing I’d use for a daily driver yet.
I discovered a couple of years ago that iTerm2 has a password manager, as well as other cool features like live text highlighting via regex.
Anyway it was the first time I had ever used a password manager that you can call directly in the shell. It’s awesome, and once you memorise a few simple key combos it’s super easy to input stored passwords in the shell.
Mostly for running commands with sudo, and changing to different users, it really made my workflow a lot faster especially because I have several environments, and each one has different passwords.
I love pass but I have been having very weird issues lately with gpg agent taking ages to ask me my password to decrypt the database. Really annoying and googling has not yielded fixes. Worse the dev doesn’t use GitHub so getting in touch is a giant pain in the ass.
>The password store does not impose any particular schema or type of organization of your data, as it is simply a flat text file, which can contain arbitrary data.
That whole section, the options (or lack thereof) is a mess...
Not really.. Gopass which is compatible supports YAML-based key/values. I find having to conform to a particular password management solution for extended entries to be more messy.
I think this is outside of the threat model of most password managers -- your desktop search history (whether in your shell, Spotlight, or whatever) is leaking equivalent and probably more detailed information.
It can be a problem if you want to back up the password database to the cloud.
That's part of the threat model for most other password managers, which use a single encrypted file for the database. Pass is the only popular one I know that stores part of the information in plaintext.
I don't actually use pass, but as an idle thought: if you're concerned about this sort of metadata when syncing your `pass` store to a cloud provider, why not take advantage of the GPG key you already have and encrypt everything as a single blob in one shot? You pay a little more with each synchronization, but probably not enough to worry about for reasonably sized stores.
But the exposure is to anyone with access to your encrypted pass data. Which in the normal use case is going to be anyone with access to your user account, which means they could likely already see your shell and browser history.
Not if you want to access it on multiple devices, in which case the built-in solution is to use git. In that case your git server sees all the metadata.
I like apps with browser integration like 1Password so I don't have to copy the plain text password to the clipboard or even have it be visible in my she'll.
You could setup a cron job that polls 1Pass for your password CSV, imports the CSV into to pass, and commits the diff.
Caveat that I don’t know how robust 1Password’s API is, or indeed if they have one. You might need to do the “gimme all my passwords in a CSV” step through a GUI, or a very hacky puppeteer script.
Tangential question: why doesnt keepass or keepassx autosave?
Why does it even have the antiquated save button to begin with?
I have permanently lost access to some things due to this, as other password managers don’t have retro features like that. Usually when I’m using unix or linux, its on an OSX keyboard so even my reflexive shortcut key saving has buttons flipped.
- i share these random passwords with my team (ugh... git i guess huh!)
- i share some of these random passwords with my family (you try teaching a 6 year old git, and a 37 year old woman who already doesn't want to change her habits)
- i use these passwords on my home computer (windows), work computer (osx), android, ios
Yeah, not going to switch away from 1password any time soon.
Not sure what any of the above have to do with this app...
"- i share these random passwords with my team (ugh... git i guess huh!)"
Git doesn't mean you "share" anything. First, you can use a private repo, second your passwords are encrypted. Unless you give the master key, nobody "shares" your passwords, even if they have access to the git repo.
I'm saying the tool works for a subset of uses for generated encrypted password stores. Unless I misunderstand and this is entirely for secret sharing between servers, in which case I retract everything I said.
If your team has GPG keys (they should if they're signing Git commits) then pass works great for teams as well. You can encrypt to multiple GPG key IDs so many users and decrypt passwords from a shared git repo.
I used to use this, and then I moved to a real password manager. Like seriously, this doesn’t hold a candle to an actual well-engineered password manager. I use Keepass right now, with MacPass and Keepassium; both excellent apps.
I've only used keypassx on windows, but the auto fill feature was amazing.
You would push a key shortcut, then based on the window title of whatever window has focus, it would simulate key presses into it. So I could type secure credentials into any program on my computer with one key stroke.
That's how I use pass on Linux. A key shortcut is bind to script that calls "xdotool getwindowfocus getwindowname", selects credentials set based on it, asks for master password with pinentry-qt if needed, then types with "xdotool type --file -".
It works and is better than placing password in clipboard and than "xdotool type $pass". Likely worse than proper integration with password consumer.
Interesting. I just have a keyboard shortcut in i3 that uses dmenu to let you select a credential. Very handy as I have multiple accounts for some sites/apps. Plus, the browser extension has its own keyboard shortcut.
- I host my git repo on my desktop computer (through SSH), so it's not exposed anywhere except if you have SSH access to my computer. (A lot of people seem to think git = GitHub which is not true). So if your git repo is not exposed to the public, you don't leak any of the site names/usernames you use.
- The passwords are GPG encrypted so even if it were leaked that would be okay as long as my secret key remains secure.
As far as usability goes, I usually use the -c option to copy/paste my passwords. I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me. Syncing with my phone and Linux devices works perfectly (since it's just git).
The Windows client seems to be no longer maintained [1], so I would like better support here for my Surface. But this is still okay since I can SSH to my desktop computer from Windows and copy/paste the passwords from there.
[1] https://github.com/mbos/Pass4Win#readme