Hacker News new | past | comments | ask | show | jobs | submit login

I've been using pass for several years now and I recommend it to my friends, but I usually get weird looks when I say I store my passwords in a git repo (it's not as bad as it sounds!). Here's why:

- I host my git repo on my desktop computer (through SSH), so it's not exposed anywhere except if you have SSH access to my computer. (A lot of people seem to think git = GitHub which is not true). So if your git repo is not exposed to the public, you don't leak any of the site names/usernames you use.

- The passwords are GPG encrypted so even if it were leaked that would be okay as long as my secret key remains secure.

As far as usability goes, I usually use the -c option to copy/paste my passwords. I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me. Syncing with my phone and Linux devices works perfectly (since it's just git).

The Windows client seems to be no longer maintained [1], so I would like better support here for my Surface. But this is still okay since I can SSH to my desktop computer from Windows and copy/paste the passwords from there.

[1] https://github.com/mbos/Pass4Win#readme




I'm glad it's working well for you. I used to use pass, but when I lost my gpg key I was able to recover most of my passwords through a mistake I'd made. After that I decided to switch to something where I wouldn't be able to screw up as easily, and bought 1password.

I still had an earlier gpg key, and had not reset all my passwords when I switched keys. I'd just re-encrypted them. This let me check out an old commit and decrypt all the passwords in it. A dumb mistake, but it showed me I'm not smart enough to use something that doesn't hold my hand more.


Really good point that you can’t change a password on something if backups exist - because they backups still have the old password. Would apply to 1Password vaults backed up by TimeMachine too.


This is why I use pass without git. pass works normally without git, but the Android app assumes the store is a repository, so it "mostly" works.


Important point on usability for people who may have overlooked this, like me.


A good story, and a good lesson! Thanks for sharing


It's worth mentioning though that your repo could leak metadata about what accounts you have, and your username, depending on how you name your pass entries (ie. you can mitigate it by adopting a more cryptic naming scheme for sensitive entries). Just something to be aware of, it may not matter for your use case. Bitbucket still offers free private repos, which I use for my password store.


Check out https://github.com/roddhjav/pass-tomb


I use Keybase git for this reason, and it works great.


There is gopass for Windows which is compatible last time I checked. It also works on Linux and Mac too:

https://github.com/gopasspw/gopass


gopass is primarily targeted at Linux. But it's reported to work very well on Windows, too.


How do you get your passwords out of the repo on your phone?


The android app allows one to use OprnKeychain, so I can use my gpg key on my yubikey to both authenticate the SSH session to do git pulls and decrypt individual secrets.


git push. The Android app works with git repos from SSH. I also use Wireguard since I run my SSH server behind the VPN, but this is obviously optional since you can just expose your SSH server to the internet.


Sorry, I meant more on the UI side. Like if I'm on a website that needs a login, do I run a pass command in a local terminal, then copy and paste?


Ah, there is an Android app [1] which you sync the passwords to and it basically presents a list of all your websites. To use a password: tap on the website name, unlock your GPG key, and then see your password and put it in your phone's copy/paste buffer.

[1] https://play.google.com/store/apps/details?id=dev.msfjarvis....


Sounds a lot less convenient than e.g. Samsung Pass. Depends what you value I guess.


On my phone the Android app also asks to fill login forms in Firefox.


Thank you. I wish OP could have linked what Android app he was using


a bunch of apps busted (tiktok) that polled the iphone’s clipboard, isn’t android also susceptible to that ?


That's what they meant with "The Android app works with git repos from SSH".

That is: there are GUI mobile and desktop client apps, compatible with the pass storage schemes.

In this case, the parent refers to one such app that can connect to e.g. your GitHub repo with your passes, and read/manage the passwords from there.


This is correct. Pass can only copy it in the paste buffer for 45s.

The command has a nice auto completion and search feature. And calling it without arguing give you a list of all the name of the key you have in a tree view.

I really enjoy using that little utility since I would say 4 or 5 years.


Do phone apps support Yubikey?


Yes!

Termux[0] does supports gpg and pass but no yubikey by default, but okc-agent[1] is a third party binding of OpenKeyChain, providing barebones gpg via yubikey. I use this to decrypt passwords via NFC:

[0]: https://termux.org [1]: https://github.com/DDoSolitary/OkcAgent

Simple password decrypt: okc-gpg -d ~/.password-store/mypass.gpg

I made a termux shortcut (button on homescreen) to emulate pass-dmenu via this ( store in ~/.shortcuts):

  #!/data/data/com.termux/files/usr/bin/env bash

  # Lists passwords in termux dialog, decrypting selection to clipboard for 45s

  # http://redsymbol.net/articles/unofficial-bash-strict-mode/
  set -euo pipefail

  # Inspired by https://git.zx2c4.com/password-store/tree/contrib/dmenu/passmenu
  shopt -s nullglob globstar

  prefix=${PASSWORD_STORE_DIR-~/.password-store}
  password_files=( "$prefix"/**/*.gpg )
  password_files=( "${password_files[@]#"$prefix"/}" )
  password_files=( "${password_files[@]%.gpg}" )

  password_files_csv=$(printf '%s,' "${password_files[@]}")
  choice_json=$(termux-dialog sheet -t "Select password" -v "$password_files_csv")

  choice_exit=$(echo "$choice_json" | jq .code)
  [[ "$choice_exit" == 0 ]] ||  exit

  password=$(echo "$choice_json" | jq .text | tr -d '"')

  okc-gpg -d ~/.password-store/"$password".gpg 2>/dev/null | head -n 1 | termux-clipboard-set
  # pass show -c "$password" 2>/dev/null
  termux-toast -s "Password copied to clipboard"
  sleep 46
  termux-clipboard-set ""
  termux-toast -s "Password remove from clipboard"


Slightly OT but this is yet another example of why Termux is the killer app for Android. I didn't use to think there was much difference between iOS and Android until I discovered Termux.


Most apps delegate PGP functionality to OpenKeychain, which works with Yubikeys. I use a Yubikey 5 NFC and the Password Store app from F-Droid.


The Password Store app delegates key management to another app. I use OpenKeychain [1] for this. I believe OpenKeychain supports Yubikeys, but I haven't used that feature myself so I can't speak about how well it works.

[1] https://www.openkeychain.org/


It works perfectly both over NFC and USB either OTG micro USB or USB-C.

I only use hardware keys now.


It supports PGP keys stored on yubikeys via OpenKeychain. There's talks of removing support for OpenKeychain in lieu of a homegrown implementation since OKC develoent has lost velocity. And their library interface can be a bit cumbersome.


https://fr.jeffprod.com/blog/2019/gerez-vos-mots-de-passe-av... (french)


Not having access to your passwords on your phone is considered by some of us as a feature.


OP said they sync it to their phone.


So your git repo and GPG key are stored on the same device? What happens when that device is stolen?


Yubikeys that can do gpg are $40 or so and have lots of other uses.

Iirc, ssh can now do file encryption with FIDO2 keys; these are $10 or so.

Definitely worth buying a pair if you are worried about security (both Trojans, where local encryption at rest can be defeated, and losing your device where it is not)


GPG keys are usually stored encrypted at rest.


> I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me.

One danger of doing just copy and paste is that you are more exposed to phishing attacks. The browser extension for the password managers check that the site that they are filling in is indeed the site that they stored the password for.


But extensions bring their own security concerns too.

You can use auto type. But you need to make each entry identifiable and sometimes it doesn’t work because page and login titles change.


You could also store it in a Keybase [1] repo.

[1] https://keybase.io/


Isn't that now owned by Zoom?


Holy crap, you're right.


Interesting, I’m not too worried about it right now though.


We made an extension for encpass.sh (similar in some ways to pass) that stores secrets in Keybase (https://github.com/plyint/encpass.sh/blob/master/extensions/...) if that sort of thing is of interest to you. Outside of personal secrets, it can be used as a sort of low cost stand in for shared secrets that you might use something like Vault for in a team environment.


That's interesting. I started storing my dotfiles repository in Keybase. There's not any secrets in there really other than how my home directory is setup but I figured there's no reason I couldn't keep my AWS keys and ssh key pairs in there too.


> I usually use the -c option to copy/paste my passwords

In X11 it's also possible to get passwords typed automatically with xdotool, which I call through an xmonad package. The only thing I'm missing is more powerful autocompletion.


Are you aware of passmenu, which is part of pass? The autocompletion/selection process works quite well for me


I wasn't, thanks! It's very nice to be able to type part of the domain name first and then space and then part of the username.

... but as far as I can see, passmenu just copies to clipboard and doesn't use xdotool?


This is a bit late now (I need a way to follow up on my comments). But it can actually use xdotool if you run it with the --type option. See also the source here: https://git.zx2c4.com/password-store/tree/contrib/dmenu/pass...


Thanks. There wasn't any manual page or --help output, so I gave up on it, but now this may be the best option I know of. But, yeah, I could have just `cat /bin/passmenu`.


QtPass works great for me on all platforms including Windows




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: