
Show HN: Manage passwords with GPG - noondip
https://github.com/drduh/pwd.sh
======
nmrm2
[http://www.passwordstore.org/](http://www.passwordstore.org/) is a similar
solution, and I prefer it to this solution for a few reasons:

* git integration.

* Separate file for each secret, so that I can store the password on the first line and then other sensitive account details on subsequent lines.

* -c flag for copying passwords to clipboard (but only copies the first line of the file, so it doesn't interfere with the usecase above)

* tab completion for user account names. However, this comes at a slight cost to security -- anyone with access to your machine (or git repo) can see all of the websites / accounts for which you have a password.

* Everything happens via the file system and secrets are just gpg encrypted text files. So it's really easy to implement new utilities on top of your password store. This is true for this solution as well, but somehow having separate files for each account makes it safer to implement utilities that do account management.

~~~
davej
These tools really need a browser plugin for them to be useful to me.

~~~
DDub
Has anyone tried using these?

\-
[https://github.com/gustaebel/passext](https://github.com/gustaebel/passext)
(Chrome)

or

\- [https://github.com/jvenant/passff](https://github.com/jvenant/passff)
(firefox)

~~~
werkshy
From the chrome extension github:

    
    
      "This is pre-alpha quality software, the result of a three
      day project. It will crash your browser, leak your
      passwords and destroy your home. This is actually my first
      Chrome extension and I am no expert javascript programmer."
    

YMMV

------
vog
I'm using Emacs for something similar.

This works because Emacs can open .gpg files. It will decrypt them on opening
(asking for your password) and encrypt on saving. This is very powerful in
combination with Orgmode (.org), or any other module that provides auto-
folding.

So I open my .org.gpg file and everything is folded. Then I search for what I
need, and only that part (containing some secrets) is unfolded.

Of course, this is no substitute for a proper password manager, but proved to
be useful a lot more often than I initially thought.

~~~
frankzinger
I'm not sure this is a good solution for this use case (password management).

The obvious way of getting the password out of the Emacs buffer is copy and
paste, which leaves the password on the clipboard where it is very easy to
find. Manually removing it (by copying something else) can't be relied upon.
(If you use Klipper you have an even bigger problem.)

I know all bets are off with any kind of password manager if the host is
compromised, but password managers and browser plugins presumably at least try
to scrub passwords from memory, which will save you if you forget to lock your
screen or your window manager has a screen lock bypass bug (very common).

The Emacs solution will protect you if you don't use full-disk encryption and
your disk falls into the wrong hands, but that applies (or should apply) to
all password managers.

What am I missing?

Edit: The same applies to the solution in the article.

------
ajross
Why bother with the fixed functionality?

    
    
        (defun cc () "Secrets File" (interactive) (find-file "/home/ajross/.cc.gpg"))
    
    

Launch with "M-x cc" (which is simple enough) or bind to a keystroke. Emacs
will prompt you for the decryption cleanly, your distro will surely cache them
with gpg-agent, and you can then just edit it and cut and paste as you like.

I'm pretty sure it's "cc" because it was originally a list of credit card
numbers, but quite frankly I've been doing this so long I've forgotten.

------
matkam
Pass ([http://www.passwordstore.org/](http://www.passwordstore.org/)) is
password manager based on GPG that's been around for longer. It has some more
tools available that are built around it and helps organize passwords as well.

------
andrewstuart2
I'm definitely all for multiple options, but a tool that does exactly this
exists already, and uses git so you never lose history and can easily pass the
store around.

[http://www.passwordstore.org/](http://www.passwordstore.org/)

------
ghoul2
A bit late to the party, but for anyone who loves pass/password-store etc, but
does not like the entry names themselves being stored in the clear, I have a
port of pass that fixes exactly that problem:

[https://github.com/abgoyal/password-
store2](https://github.com/abgoyal/password-store2)

Yes, it even has bash completion. Its fallen a bit behind the upstream as I
have not had the time to port in the new features (nor felt the need :-/).
Comments/patches welcome.

------
akeck
This and passwordstore.org are neat. I used to do one-password-per-gnupg-file
with plain GnuPG commands, and liked it quite a bit. Lately though, I've been
using passwords in plaintext in a AES256 disk image with a shared long
passphrase. The main advantage so far is that other family members can use the
disk image work flow easily. The main disadvantage is that the disk image
format is OS-platform specific. I know that KeePass probably works best for
family, so we may switch to that in the future.

------
tincholio
I just use a GPG-encrypted org-mode file... It's neatly organized as a table,
and always easily accesible from my recent files buffer.

~~~
agumonkey
So far 3 person mentioned this, tempting.

------
ufo
Does anyone know if there is a way to make something equivalent to this but
using GPG's symmetric crypto instead of public crypto? This way you don't need
to carry a key file around with you, just the encrypted secrets.

~~~
noondip
This is a great point. The advantage I see to using pubkey is integration
with, for example, a cryptocard
([https://trmm.net/Yubikey](https://trmm.net/Yubikey)). Still, I wonder if the
default should be to use _gpg --symmetric_ instead.

~~~
ufo
The reason I asked that is because last time I messed around in this problem
space I had some trouble making gpg-agent remember the password for
symmetrically-encrypted stuff.

------
aidenn0
Reading in and storing the passphrase in a shell script seems like a bad idea,
particularly since GPG already has a tool for reading passphrases that will
cache your credentials.

[edit] I see that the passphrase is passed as a command-line argument. Aren't
those viewable to other users on linux?

------
vdfs
An other solution to manage password in one file using GPG encryption:
[https://github.com/boussouira/bash-pass](https://github.com/boussouira/bash-
pass)

------
jimktrains2
[https://github.com/jimktrains/polygonus](https://github.com/jimktrains/polygonus)
was a little tool I wrote a while back.

------
drethemadrapper
I was going to try use one of these solutions, when I read on the EFF that
they all provide a single point of failure.

If anyone gets hold of your master key/pwd, they would have access to all your
usernames & pwds.

[https://ssd.eff.org/en/module/how-use-
keepassx](https://ssd.eff.org/en/module/how-use-keepassx)

Best to keep them separate - in your brain!

~~~
Foxboron
Thats true, but you do forget someone. If you use four-five different password
spread among different sites, they will be easier to break then any generated
password from keepass, pass or passwordstore.

>If anyone gets hold of your master key/pwd, they would have access to all
your usernames & pwds. You would still need access to the physical storage
medium. This is either a threat or not depending on your threat model, and for
most people this is simply not a threat. And tbh, if someone got a hold of
your unencrypted computer you got another problem.

------
digitalsushi
We created our password file with ccrypt, and modern vim can open it right up
with no fuss.

