
Announcing gopass – A 'pass' compatible password manager for teams - MetalMatze
https://www.justwatch.com/blog/post/announcing-gopass/
======
zx2c4
> Second, with all due respect to the original author zx2c4 (who is currently
> working on the very promising WireGuard project)

Indeed I am working on WireGuard. But I haven't forgotten pass. We're
currently working on a new release.

> the project proved to be a wild bunch of hotwired bash scripts that mostly
> looked like they were written as a one-off job

I very much disagree with this silliness.

~~~
MetalMatze
First of all: Thank you for pass! We've been using it a lot internally and
just because pass is so awesome, we decided to start gopass.

We use Go for almost everything at JustWatch and that's why we decided to
rewrite it in Go as this would allow us to add even more features with better
abstraction in the future. Bash just didn't feel like the right fit for that.

~~~
gmluke
I looked at the code for pass recently, and thought it was a nice example of
something where bash is absolutely adequate.

You point out (in discussing the design of pass):

> There is one slight drawback to all the simplicity, and that is an
> information disclosure inherent to the design: pass stores all folder and
> file names in clear text, so even if you fully trust GPG, you should
> probably not put this repo into a public place like Github, because this may
> expose your account names and other metadata.

What's not completely obvious from a cursory read is whether gopass improves
upon that. Also, the multiple stores feature looks like it might be quite
nice, but a lengthier example would be very helpful!

Edit: improve clarity

~~~
johnnycarcin
I was just thinking the same thing and was wondering if I missed that? I have
been working on a similar project for keeping bookmarks and haven't found
(yet) an easy way to obfuscate directory and file names in a way that doesn't
make the tree structure look like a mess but still makes it difficult for the
majority of people to "crack".

------
VA3FXP
I'm pretty excited about this actually. Thank-you so much for your efforts.
I've been using pass for awhile now, and I really love what it does, but it's
a case where it feels 90% finished.

I have one desperate request; colour output as an option. Every time there is
an update to pass (or I need to reinstall) I need to edit the file and change
the options from " tree -C " to " tree -n "

This is a pain in the ass. I am visually impaired. The 'default' dark-blue
that tree uses for directories is unreadable to me.

My two choices for dealing with this are to use DIRCOLORS or edit the pass
executable. I'd prefer to not muck about with my environment settings. (as I
do not normally see any colour output)

Anyway; awesome project!

~~~
MetalMatze
[https://github.com/justwatchcom/gopass/issues/4](https://github.com/justwatchcom/gopass/issues/4)

I just created an issue for that. Shouldn't be that hard to support it. Feel
free to subscribe to the issue on github or comment any thing that's missing.
Thanks!

------
zeveb
> There is one slight drawback to all the simplicity, and that is an
> information disclosure inherent to the design: pass stores all folder and
> file names in clear text, so even if you fully trust GPG, you should
> probably not put this repo into a public place like Github, because this may
> expose your account names and other metadata.

This is my concern with pass. It's an awesome tool, but it _really_ needs to
figure out a way to hide the filenames. I think this is doable (after all,
encfs has the same need, and does it well), but I don't know if the pass team
have the will to do it.

> First, the project is curated in a traditional mailing-list based approach
> that was pretty unapproachable compared to a modern Github based workflow.

Sigh, not this again. I think that I prefer email vice a proprietary,
centralised single point of failure like GitHub, and I know that I'd rather
not work with someone who considers email unapproachable.

If your email account is unmanageable, _fix it_. Email's a really, really
valuable tool; don't let go of it.

~~~
aeorgnoieang
I use _git-remote-gcrypt_ [1] for configuring remotes for all of my local Pass
repos. I just point the 'gcrypt' remote to a file in Dropbox and voila, a
fully encrypted Git repo for syncing all of my individual Pass repos.

[1]: [https://spwhitton.name/tech/code/git-remote-
gcrypt/](https://spwhitton.name/tech/code/git-remote-gcrypt/)

~~~
zeveb
That _is_ pretty cool, although I'd _also_ like to have the filenames
encrypted on my machine.

------
ejcx
Shameless self plug, I actually build a project called passgo, modeled after
Jason's pass project as well. I'm a huge fan of pass' simplicity, but I really
dislike managing keys:

[https://github.com/ejcx/passgo](https://github.com/ejcx/passgo)

The difference is mine does not use PGP and is instead password based, but the
command line interface is almost identical. I now use passgo to encrypt and
manage my ssh keys, etc.

~~~
MetalMatze
Saw that in the process of writing gopass too!

> The difference is mine does not use PGP and is instead password based...

And we still wanted to use PGP because crypto is hard. :)

------
endymi0n
We're the team behind gopass and worked hard over the last weeks to bring you
this - happy to hear any feedback!

~~~
danjoc
I've used QTPass. It provides support to encrypt password directories to
multiple keys. It allows for multiple profiles as well, so one can have a team
password store as well as a private one. It can also auto push/pull. Plus it
has a nice cross platform gui.

Can you elaborate on the differences between how gopass and QTPass accomplish
these things and why one might want to choose gopass instead?

~~~
endymi0n
Roadmap

    
    
        Be 100% pass compatible
        Storing binary files in gopass (almost done)
        Storing structured files and templates (credit cards, DBs, websites...)
        UX improvements and more wizards
        Tackle the information disclosure issue
        Build a great workflow for requesting and granting access
        Better and more fine grained ACL
        Be nicely usable by semi- and non-technical users

~~~
danjoc
>Tackle the information disclosure issue

I'm curious how you plan to approach this one. One nice thing about passff is
that it can find the right password file based on if the file name matches the
domain. I don't need to drill down to my bank/paypal file when I visit
paypal.com for instance.

It would be nice if a public github repo would suffice, but putting a git
remote on a usb stick works pretty nicely and is private as well.

I'm considering writing an implementation myself for a different audience, so
it is nice to pick your brains as you've probably given this a lot of thought
too :)

------
LamaOfRuin
Should tab completion work with gopass? Seems pretty unusable to me as a
general purpose password manager without it, but it doesn't work for me out of
the box with a `go get` source install.

Edit: found it on the github readme
[https://github.com/justwatchcom/gopass#autocompletion](https://github.com/justwatchcom/gopass#autocompletion)

------
miduil
I've been using `pass` for a very long time, and in combination with dmenu or
rofi, it has proven to improve my workflow accessing passphrases a lot.

For 'teams' (and serv{er, ices}) I've started implementing some stuff via.
vault-project [0]. The project looks really promising, sadly never got up-
voted on HN so far.

The basic concept of vault is a centralized storage of secrets, managed via.
Access-Control-Lists (ACLs) and accessible via. REST. Because the secrets are
only accessible from a single point, you'll also have an overview of who did
access which secret (called audit log). It's also possible to implement
replacing all necessary secrets whenever someone has left/changed the group
that got access to the secrets. Vault also makes integration in certain
provisioning tools possible (though, that's something you need to spend more
development in). Vault provides many database-backends [1], but also various
other things (like ssh [2]).

Other things for managing secrets are:

\- keywhiz:
[https://square.github.io/keywhiz/single_page.html](https://square.github.io/keywhiz/single_page.html)

\- keyringer: [https://keyringer.pw](https://keyringer.pw)

[0]: [https://www.vaultproject.io/](https://www.vaultproject.io/)

[1]:
[https://www.vaultproject.io/docs/secrets/index.html](https://www.vaultproject.io/docs/secrets/index.html)

[2]:
[https://www.vaultproject.io/docs/secrets/ssh/index.html](https://www.vaultproject.io/docs/secrets/ssh/index.html)

~~~
MetalMatze
Yes. Vault is awesome and we're planning to use Vault ourselves.

However Vault is mostly meant for machines to read the secrets and gopass is
designed for humans.

------
dkonofalski
Really weird that there's no mention of 1Password and its flexibility through
both 1Password for Teams and 1Password Shared Vaults. I work with 2 different
teams that share passwords like this and one of them has a shared vault that
syncs through Dropbox for everyone while the other one is managed through
1Password for Teams so that we can update passwords and access at our
discretion.

I'm very curious to see how this will stack up against those solutions
because, to be honest, there is very little room for improvement from
1Password, in my eyes. They have a very, very solid and secure product and the
UI is fantastic.

~~~
swozey
Not viable until they support Linux which they've put zero effort into doing
even though it's been requested for years. I used to use it in Wine which was
decent but the Chrome extension couldn't talk to the app which makes using it
a terrible UX (open app, search for pass, copy, paste, over and over).

Literally the only reason I currently use OSX. A password manager...

Here's the 6 year old 35 page thread if you want to throw your vote into a
black hole; [https://discussions.agilebits.com/discussion/2846/new-
produc...](https://discussions.agilebits.com/discussion/2846/new-product-
request-1password-for-linux/p1)

Instead they've become a SAAS Lastpass competitor which literally nobody asked
for, in fact people were trying to leave LastPass due it it's forced-online
nature (which naturally frightens people, having your passwords stored online
somewhere).

~~~
caconym_
> Instead they've become a SAAS Lastpass competitor which literally nobody
> asked for, in fact people were trying to leave LastPass due it it's forced-
> online nature (which naturally frightens people, having your passwords
> stored online somewhere).

I've used 1Password for a number of years and loved it and recommended it to
friends and family, but their offering now just confuses me. I don't even know
what their product is anymore, and I _really_ need to be able to understand
the attack surface of my password manager. So I've been looking into... other
options.

~~~
swozey
I have zero faith in 1passwords engineering/security capabilities. They've
been scooting by on "just good enough" for the last 5 years. They have
introduced NOTHING new to the market in that time.

Someone will disrupt the market at some point and they'll be another has been
because they've continuously been years behind of the market trends. I mean
they literally just got into a SAAS offering and it had a hilariously botched
launch; if you used their Win10 app (which you had to use to use their
Family/Teams option) you COULD NOT LOAD A LOCAL PASSWORD DATABASE. For about 6
months I had to store all of my personal passwords onto my Team/Personal
database because the win10 app did NOT have the ability to open a local
password database. Now I've got 6 months worth of new passwords from my
personal desktop stored on my work database and at some point I need to figure
out a way to sync them together so I don't lose these passwords if I ever
leave or so nobody else has access to them.

Absolutely blew my mind. Also, like you, I paid for the full app several years
ago and here I am having to pay monthly, or yearly, I don't even know to get
updates. I have zero idea as to how secure their online offering is.

Sorry, but this company makes me livid. If the other options weren't so
terrible they'd be nothing.

Them acting like it's some engineering goddamned marvel to make their app work
in Linux is just a slap in the face, especially considering how many people
have made third party apps that can open their database in their free time.

~~~
dkonofalski
I absolutely disagree. They have introduced all kinds of new features to the
market and were the first password manager to support TouchID on the new Macs.
If there's one thing that I can commend them on, it's their dedication to not
making changes that might make their product less secure.

And your comment about having to pay monthly or yearly is either flat-out a
lie or is completely disingenuous. If you own their app, you don't have to pay
at all to update it. I haven't had to pay for updates to 1Password since I
purchased it like 6 or 7 years ago. If you choose to sign up for their non-app
SaaS offering, then of course you pay a monthly fee. To conflate the two is
either dishonest or ignorant.

And no one's acting like it would be an engineering marvel. Maybe they don't
simply have the demand to justify investing in a Linux app. If you don't like
it, use their online service that has a Chrome extension. I don't really see
what the problem is.

------
draven
I just spent a few hours to migrate our keepassx database to pass and make the
team switch to pass.

Gopass seems great, especially the multistore support (which you can do w/
pass by setting an env variable), thank you for your work!

~~~
nerdponx
What made you want to switch?

------
aeorgnoieang
I'm currently using Pass on most of my computers.

I was using Bruce Schneier's Password Safe (and various compatible apps:
pwSafe on Mac and iOS and Password Gorilla on an older Mac and Linux boxes)
and the big pain for me was merging changes.

I'd found that trying to use a single 'safe' via Dropbox was a recipe for
disaster because some of the programs wouldn't cleanly close the safe file, or
at least one of them would occasionally complain about the state of the file.
So I created a copy of the safe for each of my computers and devices. Then
every 6 months or so I'd merge all of the safe files into a single file and
recreate all of the device-specific files as copies of that single file.

But merging in Password Safe sucked. There was no way to review the
differences between entries in different safes, other than manually inspecting
entries. I don't believe either of the two versions (Mac and iOS) of pwSafe
(both version 1) supported merging at all. Password Gorilla was actually the
best among the bunch as it had a nice 'diff' window with which you could
explicitly pick which version of several fields for an entry you wanted to
retain. But sometimes I couldn't get its 'diff' window to fit on my screen so
I'd have to plug my laptop into a larger monitor.

Using Pass with Git is _so_ much easier.

I've also been using _git-remote-gcrypt_ [1] to push my local Pass repos to a
shared 'remote' file stored in Dropbox. It works great.

[1] [https://spwhitton.name/tech/code/git-remote-
gcrypt/](https://spwhitton.name/tech/code/git-remote-gcrypt/)

The only painful aspects of Pass now is the weird behavior of `gpg` on Windows
in Cygwin and the clunkiness of my current multi-repo setup. Hopefully running
Pass under "Bash on Ubuntu on Windows" will mitigate the former. Given that
Pass is written in Bash and that the various repo config settings are read
from environment variables, it doesn't seem likely that the latter will get
much better than my current setup, which involves sourcing a script to switch
the relevant environment variables.

~~~
MetalMatze
I know the pain of managing the synchronization of your password store. That's
exactly why we enable git by default now and auto commit all you changes like
pass did before. For me it works great personally, but also with a team it's
awesome. It just feels like working with people that know git on something not
encrypted.

Regard the windows support we would be happy to get as much feedback on that
as possible. Nobody of us uses windows with gopass. If you have any idea how
to improve the experience please let us know. Thanks!

------
OJFord
This looks great, I've been toying with something similar built on top of
Keybase that I just use for personal passwords, but using KBFS means it should
be simple to extend it to shared passwords, since you just store it in the
`private/me,you` directory instead of `private/me`.

My concern with using something like this or pass is that I have to manage the
distribution/backup of the store/vault/db myself - whereas I can throw my
laptop off a cliff, buy a new one, login to Keybase, and my passwords are
still there.

------
jpeeler
I quickly looked to see what git library gopass is using, but it looks like
git is just being called directly:
[https://github.com/justwatchcom/gopass/blob/a6f88e079be193f8...](https://github.com/justwatchcom/gopass/blob/a6f88e079be193f82779abb49d89c90442c91edb/password/git.go#L32)
. Surely libgit2 would work well here.

------
tyingq
Pretty neat, and addresses a space where no tools seem to exist.

Would be cool if it could leverage a GitHub public repo for password updates.
Something like using the list of collaborators on a repo, iterate over their
GH public keys, and push new encrypted files for each collaborator on the
repo.

I suppose though, this would leak a lot of metadata on how the tool is being
used, and would tie it too closely to GitHub vs just git.

~~~
hobarrera
> Pretty neat, and addresses a space where no tools seem to exist.

It's literally a port of an existing tool, so a tool DID exist.

~~~
tyingq
The space is "team sharing" for passwords. My reading of the post says that's
a net new feature.

Or did I miss something?

~~~
hobarrera
pass doesn't lack anything for "team sharing". You can add the GPG keys for
multiple users ("team"), and they can all read those passwords.

From what I can tell, gopass adds nothing new here (they even brag about using
the same format/interface).

------
praseodym
There's a Chrome+Firefox browser plug-in which also uses a native binary
written in Go:
[https://github.com/dannyvankooten/browserpass/blob/master/br...](https://github.com/dannyvankooten/browserpass/blob/master/browserpass.go)

~~~
MetalMatze
Yep. I'm using that extension on Chrome everyday with gopass in the
background. Works great! Now that we published gopass I wanted to take another
look at the source of browserpass in the coming days. Maybe we can try to
support both pass & gopass (with the new features).

------
rkeene2
I have a similar project that uses smartcards/HSMs/anything with a PKCS#11
interface called "hunter2":

[https://chiselapp.com/user/rkeene/repository/hunter2/](https://chiselapp.com/user/rkeene/repository/hunter2/)

------
marcosnils
Hey there, Vault auhtor here ( not the Hashicorp one, ours is earlier).
Wondering if you came across our project
[https://github.com/franela/vault](https://github.com/franela/vault)

------
WhitneyLand
so this intended to be unix focused, not something that could replace lastpass
for example? been looking for something better than lp.

~~~
eridius
I'm a fan of 1Password.

~~~
WhitneyLand
1password is ok but has issues tried them for about a year.

Lastpass does some things well but it's not had the greatest record on UX or
on security.

1) The prompt to "create new site?" is so dumb it commonly saves URL junk as
the homepage like [http://mysite.com/create-new-account?huge-long-
querystring](http://mysite.com/create-new-account?huge-long-querystring). You
have always manually edit the vault to keep it clean.

2) The form detector to auto-fill username/password often can't find the right
fields forcing you to manually copy/paste credentials.

3) On iOS there is no way to autofill address/cc (identities) from the
extension

4) They've been compromised, and even afterwards one guy found like 3 zeroday
exploits in a weekend and thought it was so bad he couldn't believe people
were using it.

The list goes on and on with primary usage scenario problems they could do
better at but simply do not for whatever reason.

------
homakov
Any example of a company where few people badly need to share password and
there is no "team" where you can add new users?

------
Daviey
A comparison between this and Vault would be super useful.

~~~
endymi0n
Vault is pretty cool as well, but hard to set up correctly (you need your own
PKI for serious use, etc.) - it's sweet spot are server sided and app secrets
used in production, while gopass is meant to cater for all kinds of shared
secrets in distributed teams.

~~~
falsedan
I don't understand the distinction.

Vault's sweet spot is automated generation and revocation of credentials which
are given to authenticated clients (like creating a one-off keypair for an SSH
session & giving the private part to the user and allowing the server to read
the public part).

We're currently testing the waters of migrating our pass-like shared password
store to vault (so we can grant authorization to automated scripts to read
certain shared rotated creds).

~~~
tex0
I would very much encourage anyone to use Vault to manage secrets consumed by
machines, but for personal credentials it's maybe not the best fit.

~~~
endymi0n
One of my ideas was using Vault as an alternative backing store for a gopass
mount actually. And then it's Vault for company secrets (and no hassle with
keys due to central PKI) and gpg for private stores (fast & simple to set up
on your own).

