
Show HN: Passmgr – Securely store passphrases and retrieve them via commandline - urld
https://godoc.org/github.com/urld/passmgr/cmd/passmgr
======
saintfiends
How does this compare to Pass [1]. I like its simplicity where all passwords
are stored in regular files, makes it really easy to backup and move around. I
have it synced between Android phone and laptop.

Only downside that I've seen users mention is that filenames are readable.

[1] [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
urld
The main difference is, that passmgr uses authenticated symmetric encryption
(aes-gcm) to store the contents in a single file, while pass as you already
mentioned stores each secret in a separate file, using asymmetric encryption
provided by gpg.

Storing secrets in separate files could leak metadata, especially when using a
public git repository for synchronization between devices.

Other than that, you dont have to deal with gpg key management in passmgr.

~~~
ben0x539
gpg key management, especially hooking into gpg-agent, seems like a feature,
really.

~~~
urld
I think there are many users or who dont want to setup gpg on multiple
machines. I can also imagine scenarios where it is simply not possible to
setup gpg on every machine. Maybe you could workaround such scenarios with
portable versions of gpg or something like yubikey.

However i like the idea of having a single binary with a minmal set of
dependencies, which can be moved around easily wherever i want to use it.

------
Semiapies
Whenever a product like this shows up here, I find myself waiting for the
security guys to show up and explain why it's terrible.

~~~
urld
Lets wait together then. In the meantime i suggest this link: [https://team-
sik.org/trent_portfolio/password-manager-apps/](https://team-
sik.org/trent_portfolio/password-manager-apps/) Almost everything seems to be
terrible.

~~~
Semiapies
Well, there's "has bugs" and there's "terrible and worse than useless", which
is what seems to be the verdict, more often than not.

------
infinisil
Would need a whole bunch more features for me to want to switch from pass
(passwordstore.org), which has already great git integration, command
completion, stores arbitrary contents (not just username, password and url), a
whole bunch of extensions and clients (I need an iOS client), can generate
passwords, and more.

Also I think the 6 seconds for pasting the password before the clipboard is
cleared is a bit too short, pass has 45 seconds which is a bit too much, maybe
something between 15-30 seconds would be optimal, or better yet: Let the user
configure it.

~~~
asymmetric
> I need an iOS client

Here you go:
[https://github.com/mssun/passforios](https://github.com/mssun/passforios)

~~~
infinisil
I meant that I need an iOS client as in pass has one (and I'm using it) but
passmgr doesn't

------
frou_dh
I've mused that a solid "delayed clipboard clear" feature would do some kind
of atomic Compare-And-Swap, because otherwise the originating program could
conceivably blow away something it didn't put there.

[https://en.wikipedia.org/wiki/Compare-and-
swap](https://en.wikipedia.org/wiki/Compare-and-swap)

~~~
urld
Good point. Im going to implement this, although its probably not possible to
make it an atomic operation.

~~~
justtopostthis3
On X11 you can do better: the clipboard isn't actually stored anywhere, the
program requesting the paste gets the data directly from the program that
claimed the clipboard.

The clipboard lib you're using just spawns xclip (or xsel) on Unix. xclip has
a -loops argument that is the maximum number of pastes. So you could just
spawn:

    
    
      xclip -loops 1 -in -selection clipboard
    

And the password would be available to paste exactly once. Unfortunately I
don't think xsel has any such option.

There are clipboard manager apps that could grab the paste immediately and
persist it, but I'm not sure how common they are or if they are default
anywhere.

------
urld
Thank you for all of your feedback.

I've already implemented some features based on your ideas:

\- configurable timeouts:
[https://github.com/urld/passmgr/commit/069c209](https://github.com/urld/passmgr/commit/069c209)

\- basic filter functionality:
[https://github.com/urld/passmgr/commit/3c4b1ed4](https://github.com/urld/passmgr/commit/3c4b1ed4)

But i think the UI needs improvement, and core features like master passphrase
updates are still missing. Also the clipboard handling could be improved
(depending on the platform).

Im not sure yet, if and how browser integration or iOS/Android clients could
or should work with passmgr, but if i have time i will think about it.

------
ficklepickle
I wrote a bash script password manager[1]. It generates a random password,
encrypts it with your gpg key, and hides it in a picture with steghide.

[1][https://github.com/jeremy21212121/bash-steganography-
passwor...](https://github.com/jeremy21212121/bash-steganography-password-
manager)

It was just an exercise to get better with bash, but I actually use it. It
could be trivially modified to take a password instead of gpg.

------
chias
It sounds like a lot of us have been making password managers recently. Here's
one I made a few days ago:

[https://github.com/ojensen5115/pw/](https://github.com/ojensen5115/pw/)

It uses a file in your private Keybase directory as its datastore (so
obviously depends on Keybase). As such, it eschews the need for its own master
password (or more accurately, it depends on your previous authentication with
your Keybase master password), and thus can operate in an individual-run
basis.

It could still use a decent amount of work (e.g. option to save a credential
based on a randomly generated password, etc), but I've been using it myself
recently and like it quite a lot.

~~~
gioele
> It sounds like a lot of us have been making password managers recently.
> Here's one I made a few days ago:

> [https://github.com/ojensen5115/pw/](https://github.com/ojensen5115/pw/)

I made one as well. Same name, totally different philosophy. ;)

[https://github.com/gioele/pw](https://github.com/gioele/pw)

~~~
chias
Hey, that looks really cool! Definitely something I'll want to look at in more
detail when I get the chance :)

------
ejcx
I built a golang password manager a while ago, in the image of pass.

Shameless self pitch. It is a little slicker, not needing the master key to
save sites.

[https://github.com/ejcx/passgo](https://github.com/ejcx/passgo)

------
leshow
I'd need a good reason to use this over pass. Does it have something that pass
doesn't?

~~~
urld
Featurewise, no (not yet). However i think my aproach, using a single
encrypted file for all secrets is somewhat more secure as it does not leak
information like what sites are managed by the password manager.

I guess you could also argue that by using AES, passmgr has the advantage of
being post-quantum secure, if that is important to you.

------
_eht
Would it be illadvised to enable it to talk over a network to sync itself with
hosts that you manually add? Or even an option to --sync to a remote
git/GitHub repo?

~~~
urld
Personally i dont see the point in integrating synchronization features for
now. There are already tools which are good at synchronizing files. And since
everything is stored in a single file, it should be trivial to setup sync.
E.g. you could do so with an alias like: alias passmgrgit='git pull; passmgr
-file xxx; git commit -a -m "updated";git push'

------
lisper
c.f.:
[https://github.com/rongarret/scache](https://github.com/rongarret/scache)

