
Show HN: passgo, a command line password manager written in go - ejcx
https://github.com/ejcx/passgo
======
willvarfar
Why aren't the site names encrypted too?

Users are encouraged to store their password files publicly, and yet the files
contain a plaintext list of sites that the user has logins to!

Seems a serious privacy breach.

~~~
ejcx
Not encrypting site names was a UX decision. If site names were encrypted,
listing entries in your password store would require a prompt for your
password.

~~~
willvarfar
Its a bad default.

You could make it so that site names were encrypted by default, but files with
plaintext site names were supported.

~~~
ejcx
Some people may disagree with me but that's fine. There really isn't a correct
answer here. It's a product decision balanced with security. I think
_strongly_ wanting this is mostly FUD.

I firmly believe in secure defaults (with all my heart) but I don't think
there's a compelling reason to hide site names in this situation.

I trust the strong cryptography (and DJB) that protects the passwords and this
is plenty for keeping an attacker out.

Yeah, it's more information for an attacker but I don't think it buys an
attacker anything meaningful. Responding to ping or listening on specific TCP
ports and responding with service banners is "more information" too, but these
are accepted. Running your company on someone else's computer used to not be
accepted and now it is.

With strong cryptography there is no reason this information can't be public.
If you're truly paranoid, you can always use a private repo or a private git
server.

If anyone has a compelling argument for why this information should be secret
by default I would love to make the change.

~~~
willvarfar
Here are two obvious reasons for wanting to hide this meta information:

1) ejcx signs up for a porn service and is embarrassed to admit it

2) ejcx has an account on some server compromised. The attacker now wants to
get a nice list of other sites that the ejcx also uses, so they can try their
luck to see where ejcx has foolishly used the same or similar password and
login name. This information is just a github search away.

In both cases, ejcx may never be so foolish?!. But users of password
management apps in general mess up all the time.

I want a password manager that I have confidence in to upload my passwords
somewhere I can retrieve them if I lose my home computers etc. However, I
don't want to announce to the world the websites I visit.

~~~
ejcx
I don't buy your second point. Your argument is that an attacker can try the
password elsewhere faster, when the list of sites an attacker is interested in
is small. An attacker could try every site in the Alexa 1m before anyone knows
the sites passwords were dumped anyways.

------
lucaspiller
I've been using `pass` for the past few years (I wrote a post on setting it up
on OSX which has been fairly popular [0]). However last month I switched to
1Password (I signed up to the family plan trial - I'm not set on it though).

The main thing I like about 1Password is the browser integration. It just
makes life so much easier being able to click a button and have the password
automatically entered into the form. I have a script ([1] - should be easy to
adapt for this) which would poll Chrome for the current URL, decrypt or
generate the password, and copy it to the clipboard - but clicking a button is
a lot less friction.

1Password also has a xkcd-style password generator option, which is great for
things like Netflix that you need to type in on TVs and such.

The main reason why I signed up for 1Password was so I could use it with my
family, but the browser extensions only work on OS X 10.10+, so that rules out
2/3 family members (who run Windows 10 and OS X 10.6). You can access the
passwords online, but it's no way near as user friendly. If anyone has a good
recommendation of an alternative (I'd prefer open source), let me know!

[0] [http://www.stackednotion.com/blog/2012/09/10/setting-up-
pass...](http://www.stackednotion.com/blog/2012/09/10/setting-up-pass-on-
os-x/)

[1]
[https://github.com/lucaspiller/passosx](https://github.com/lucaspiller/passosx)

~~~
LindenRyuujin
I've not used it myself but I believe LastPass is the most user friendly
option. I have no tech family that use it and love it's ease - not sure about
OS X 10.6 support but certainly has windows and OSX support
([https://lastpass.com/misc_download2.php](https://lastpass.com/misc_download2.php)).

I like KeePass2 which is open source but nothing like as smooth as LastPass
(No browser integration on OSX and integration on firefox for windows works
but isn't perfect).

------
some_furry
The code looks very clean and well organized. It appears to be doing things as
simply and correctly as possible.

A 5 minute glance through the code didn't reveal any vulnerabilities. That's a
better result than most.

------
creshal
Shameless self plug:
[https://github.com/creshal/yspave](https://github.com/creshal/yspave)

Password manager that is actually safe against attackers with access to your
data at rest by encrypting everything (with authentication), including
metadata.

------
kgabis
Simple alternative: storing passwords in gpg encrypted files and using emacs.

Emacs has EasyPG so when you create a file with .gpg extension and try to save
it prompts you for a password to encrypt this file with. Similarly if you open
a .gpg file it asks you for a password for decrypting it. This way your only
dependency is emacs and you can store passwords file wherever you like. And
you don't expose names of sites you need passwords for.

------
deathanatos
> _The most important difference is passgo is not GPG based. Instead it uses a
> master password to securely store your passwords._

"Instead" here seems to imply that GPG cannot securely store data in a
password-protected file, which it can. (See the --symmetric option.)

It just simply uses a library, and perhaps a custom serialization format / a
different format from what GPG uses.

One of the reasons why I encrypt my keyring with GPG (and I use a tool that
uses/wraps GPG) is because I can recover the keyring then with only GPG: I
don't need the actual keyring program, just GPG and the password.

------
imjcham
For newbies, it would be helpful to explain how to retrieve the encrypted
password, aka ./passgo www.example.com. Didn't see it listed on the help and
github page.

------
MindTwister
Yay a password manager I might actually use, very impressed so far.

~~~
creshal
If you don't mind me asking, what's the features you're interested in that
other managers don't have?

I've been tinkering away on my own password manager for a while, but since
it's not made in a hype language, it gets zero exposure on HN.

~~~
MindTwister
Off the top of my head it should:

\- Work offline

\- Work on multiple platforms

\- Encrypt the passwords

\- Backups/distribution should not be dependent on a single provider

\- Ease of use (command line is fine, great even, but for the love of god make
it simple)

\- Not require me to remember to copy around an encryption key

\- Open source is a great bonus

~~~
creshal
Hm, seems my solution ticks all checkboxes except multi-platform availability
(python in e.g. Windows is… not fun). I'll keep that in mind for the
inevitable rewrite, thanks for the feedback.

------
timlyo
I'm still on the fence about password managers. I always worry that I'll end
up on a computer without my passwords and not be able to logon.

~~~
eropple
I'd have to be without my phone, my tablet, and my laptop, while needing to be
able to log into something. I can't think of a situation in the last couple
years where I've not had at least one of those things, to say nothing of not
having one of those things _and_ needing to log into something.

------
epoxyhockey
Very nice. I like the key feature being that your encrypted vault can be
publicly posted. In a team environment, does it make sense to share the master
password with all team members? Or is passgo designed for just the individual
in mind?

I have been looking at
[https://www.vaultproject.io](https://www.vaultproject.io) for team credential
storage and sharing.

~~~
ejcx
Sharing a password is bad for several reasons.

I plan to build sharing in to passgo, since I realize it would simplify things
for a lot of teams

~~~
Xylakant
Sharing a password can be a good thing in some circumstances. My CO-founder
has all my passwords to my encrypted backups and important business accounts.
Just in case I perish, for example. Or in case I forget my backup password at
an inconvenient time.

~~~
ejcx
Sharing the password informally generally leads to bad practices, like a group
email with the password, or multiple sticky notes.

A password sharing solution I have no problem with since there are real
reasons to share

------
dejawu
As a Go developer, I'm curious. Why is it that whenever a project built in Go
is submitted to HN, the title mentions that it's built in Go? What makes the
language special that it's worth mentioning?

~~~
ymse
This question comes up every time a "X written in Y" is submitted. Some times
the language implementation is a novelity, but usually it's just a non-
redundant piece of information.

Many people on this site care about the language, so why should we _not_
include it? People who dislike the Y ecosystem are free to ignore it, and
people who have been looking for an X implementation save some brain cycles
figuring out what it's written in.

Personally I think more articles should include this. I'm always disappointed
when a cool-sounding project is written in Node..

------
rread
A neat idea, but then I think wouldn't it be clever to introduce such a tool
with a backdoor, and then convince people to use it to store their passwords
publicly? I'm not accusing this project of anything nefarious, but bugs
happen, and a security review wouldn't be a bad idea. Not to mention some unit
tests, maybe? :)

------
huddo121
When I use passgo, how do I collect my $200?

edit: Now that I've read the commit message; :(

------
hghar
Seems interesting but why not to use GPG?

~~~
ejcx
I went with a master password and AEADs because I don't like GPG.

It appeals to a bigger number of people, too, since not all devs understand
GPG and shouldn't be expected to.

~~~
Natanael_L
Saltpack.org?

