
Pass: A standard Unix password manager - jaybosamiya
https://www.passwordstore.org/
======
jbg_
I've used this for a long time, and along with its Git integration
(pushing/pulling to/from a repository on my own server, accessed over SSH) and
a GPG key stored on a Yubikey Neo, I've got basically seamless sync between
two laptops, a desktop and an Android phone, without using any third-party
service.

The "Password Store" app on Android is compatible with `pass` and supports Git
and NFC for using the Yubikey Neo to decrypt the passwords.

~~~
fps
I have the same setup, but I haven't yet been able to get the Yubikey Neo to
work as a GPG key on android via NFC. It prompts for a PIN, but the PIN I use
for GPG on linux isn't accepted. There's also no working windows client for
this setup, so I find I have to manually copy a lot of 20 character complex
passwords by hand these days.

~~~
jbg_
Interesting. The same PIN that I use to unlock the card on my laptops works on
my phone. I'm not sure what would lead to the behaviour you describe!

------
guillaume20100
I recommend using Pass or Keepass, because we can see the source code. But
like all these password managers, you need to synchronize your password vault.

If you do not want to synchronize your vault among all your devices, but still
want to have a unique password per site, try LessPass[1]. LessPass is a
stateless open source password manager.

Disclaimer I am the creator of LessPass

[1] [https://lesspass.com/](https://lesspass.com/)

~~~
redthrow
Lesspass seems nice but how about keeping all passwords in a .txt file and
password protecting that file?

One benefit of the password-protect-text-file method over Lesspass is you can
also save answers to so-called "security questions" (for those sites that
still use them, like Paypal and government sites).

Alternatively, one can use Schneier's write-down-password-on-a-small-piece-of-
paper method.

[https://www.schneier.com/blog/archives/2005/06/write_down_yo...](https://www.schneier.com/blog/archives/2005/06/write_down_your.html)

~~~
c13k
This method works very well. I have one large text file containing all my
credentials, stored in a an encrypted VeraCrypt file.

I have all this stored in my Linux box. I backup to my server side encrypted
AWS S3 bucket protected with 2FA. No need for me to sync anything, but if I
need access to my VeraCrypt file, I can download it when required.

I've used this method for two decades now, first using OSX .dmg files, then
TrueCrypt, now VeraCrypt. Simple, and works well.

~~~
rorosaurus
I suppose the main pain with this method would be accessing the passwords on
other devices. For example, I'd prefer to be able to copy/paste password on my
phone, instead of referring to another computer and typing it in one random
character at a time.

------
allerhellsten
Pass is pretty awesome, but nowadays I've switched to gopass:
[https://github.com/justwatchcom/gopass](https://github.com/justwatchcom/gopass)
\- much better support for teams, structured secrets, binary secrets and quite
a few other improvements. Oh, and it's (mostly) drop-in compatible.

~~~
crypt1d
Looks nice. Unfortunately I would never use it for teams as it doesn't have
audit logs. These are very useful in case a user is compromised - you can
lookup which passwords he accessed and only change those. Same goes if the
user left the team and u want to make sure all accesses are revoked.

~~~
mi100hael
For teams, I almost always go with Vault
([http://vaultproject.io/](http://vaultproject.io/))

~~~
joekrill
My impression of Vault is that it is more useful for automated situations. How
useful is it as a shared password manager? Do you have non-technical folks
using it? And if so, how are they interacting with the vault?

~~~
moondev
Sounds like a great idea for a side project. Build a user friendly interface
that leverages a remote vault server on the backend. It's primary use case if
definitely for applications.

~~~
joekrill
There are a handful of web-based UIs that have been built. And I believe
Hashicorp offers one with their enterprise product. But from what I can gather
they all still have a bit more of a learning curve than your average password
manager.

------
mrhigat4
I use pass and love it. It provides a lot of flexibility. To fix the "website
metadata is leaked in filenames" issue, I use another project by Jason,
ctmg[0]. I changed the pass directory to be one directory deeper, encrypted it
and just do `ctmg open` when I boot to open my password list (similar to
unlocking a keypassX store) then use pass as normal. On shutdown, the opened
folder is re-encrypted automatically. You could also set a ctmg close on a
timer if you don't want the list to be available during your entire session
after open.

Other things I do:

* store all the files as .toml files so I can rip specific keys with a custom script.

* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.

* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.

* use syncthing to keep all devices up to date.

It's pretty slick workflow IMHO

[0] [https://git.zx2c4.com/ctmg/about/](https://git.zx2c4.com/ctmg/about/)

~~~
zx2c4
Nice to hear somebody out there is using ctmg. I never bothered making
packages for distros other than Gentoo, but ctmg is quite useful so maybe I'll
do that.

~~~
mrhigat4
Cheers. Yeah for sure, I was too lazy to make a PR on nixpkgs, but this[0] is
what I wrote if anyone stumbles on this using NixOS. The nix package manager
can be installed on top of most OS's too.

[0]: [https://pastebin.com/raw/FYMean1q](https://pastebin.com/raw/FYMean1q)

------
dsacco
Note that pass was developed (and is maintained) by Jason Donenfeld (zx2c4),
the same person who developed Wireguard, the new VPN protocol.

Not that my opinion is worth a whole lot, but this is the password manager I
would choose to use if I wasn't using 1Password. Where many other password
managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very
straightforward GPG.

~~~
Spooky23
> Where many other password managers use convoluted constructions with (e.g.)
> AES and PBKDF2, this is very straightforward GPG.

That's a bonus until you need to demonstrate FIPS 140-2 validation.

~~~
dsacco
GPG is FIPS 140-2 compliant (though pass itself might not be, depending on the
specific way it's used). Most likely pass would have to use GPG in a specific
FIPS-compliant mode to pursue validation.

~~~
Spooky23
GPG has a FIPS mode that will use FIPS 140-2 primitives.

But you'll have a finding an audit in some circumstances as it hasn't been
validated. I've seen cases where they'll miss that if it's running on RHEL,
but it's a risk.

------
alex_duf
I don't like the fact someone with access to my hard-drive can figure out all
the services I'm using just by looking at the filenames.

It's convenient yes, but I prefer one encrypted file that contains it all.

~~~
YorickPeterse
This shouldn't really be an issue if you're using full disk encryption.

~~~
jrochkind1
That seems like saying why use an encrypting password manager at all if you're
using full disk encryption, isn't it okay to just keep your passwords in
plaintext on your encrypted disk?

~~~
rythie
Not if you use cloud backup or get a virus.

------
planetjones
With all the discussion about 1password and its decision to "more or less"
move to the web and a subscription based model, I had a TODO to look at what
the open source community had; especially regarding browser plug-ins, mobile
apps, etc. I don't understand why a simple problem like password management,
needs a subscription and a private company to create software for the problem.

This post seems to have saved me the trouble of Googling myself. I am
installing on the Mac and iOS as we speak.

~~~
cpenner461
> I don't understand why a simple problem like password management, needs a
> subscription and a private company to create software for the problem.

Speaking from recent experience migrating non technical users to 1Password,
while something like pass might work well for me/the typical HN user, there's
no way I'd try to get family to use it. I have found the overall 1Password
user experience to be very friendly and reliable, but am still semi regularly
having to help family figure out/re-explain something about how it works.
They'd be lost with something like pass.

~~~
dannysu
Exactly. You're paying 1Password to maintain the various apps and browser
plugins. Continuing to improve UX and add language support.

My parents don't speak English. Not everyone does.

That's what you're paying 1Password for.

~~~
hedora
I wish people would pay pass (or some other auditable open source software
team) for this sort of thing instead.

The situation is particularly painful for security critical software like
password managers and disk encryption. Commercial software could be keeping a
rot-13 copy of the database on an anonymous ftp server for all I know (or,
worse, be written for a leaky JavaScript sandbox).

The open source stuff generally stalls out after the first 90% of the
functionality is there, and the second 90% of the work remains.

------
tombert
I love Pass, but the problem I've had is that I always feel like I have to
spend a bunch of time setting it up when I'm on Windows.

I understand it's the standard _UNIX_ password manager, so I suppose I don't
have a ton of room to complain, and most of my computers are Mac or Linux, so
it's not a huge deal, but I think it increases the barrier of entry a ton of
people.

That said, I think Pass is awesome, and having my passwords stored in Github
makes me really happy.

~~~
y4mi
the nonexistent browser support makes it even more troublesome to setup. there
is some support on linux systems, but windows is plain out of luck

i _Really_ like the idea of pass, but ill never accept copy pasting
logins/passwords again. they'll need to be automatically inserted on a
matching website. everything else is too much manual overhead for my taste.

~~~
cookiecaper
Please understand that browser integration is the Achilles' Heel of password
managers. While you get the convenience of autofill, you're also bringing
access to your password database into the browser's attack surface. Bugs in
the browser sandbox or improper extension implementations can allow rogue
sites to get the goods. There have been multiple instances of major password
manager extensions leaking secrets just in the last year.

Copying and pasting may be annoying, but it's much safer, especially if you
use a program that will autoclear your clipboard for you (KeePass 2 does this
after 12 seconds by default).

~~~
andrew3726
I agree that browser integration is troublesome. To circumvent having to use a
browser extension I use rofi-pass[0] which is a external script (using
rofi/dmenu and pass), so no browser integration. But it features autofill
which is extremely convenient.

[0] [https://github.com/carnager/rofi-pass](https://github.com/carnager/rofi-
pass)

~~~
likeclockwork
Also using rofi-pass, really it's better than browser integration. Especially
if you bind it to a hotkey.

------
JetSpiegel
Using this and something like rofi-pass:

[https://github.com/carnager/rofi-pass/](https://github.com/carnager/rofi-
pass/)

Gets me really close to the holy grail of password managers. Browser
integration is possible too with PassFF:

[https://github.com/passff/passff](https://github.com/passff/passff)

~~~
da_n
For me, browser integration is an anti-feature for password managers.

~~~
maccard
I prefer to trust the browser integration than to trust the clipboard.

------
fwx
How does this compare to other popular solutions? Specifically, KeepassX /
Keepass2 which are the most common solutions I've seen most Unix / Linux users
employ. Can we objectively state which one is a better solution?

~~~
scbrg
A few differences:

\- There's no builtin GUI

\- Each entry is its own file

\- You control the storage format (meaning it's easy to store any kind of
information, not just passwords)

\- It relies on GPG, so you need to set that up first

~~~
Sir_Cmpwn
>\- You need to handle X integration yourself by piping to xclip, or similar
(or just cut and pasting from terminal)

Wrong, pass provides the -c flag which puts it in your clipboard and clears it
after a timeout.

~~~
scbrg
So it does, yes. I forgot about that, since I needed to write my own wrapper
to paste both username and password (stored on separate lines) anyway. Thank
you for the correction, I'll update my post.

~~~
hdhzy
There is also QtPass (GUI around pass), and various browser extensions (e.g.
BrowserPass).

Of course one has to set it up, it's not an integrated solution. But GPG
provides interesting features like storing encryption keys on hardware
devices. Some devices like Yubikeys can have touch-to-use enabled. So each use
of a secret requires a touch (after PIN but that's once a session). Perfect
combination of convenience and security for me.

~~~
kronos29296
KeepassXC now supports YUBIkey now.

~~~
hdhzy
Well "supports" is a very broad term given that yubikey supports multiple
applets (OpenPGP, PIV, U2F, static passwords etc.).

Do you mean this:

> YubiKey challenge-response support for strengthening your database
> encryption key

From
[https://keepassxc.org/blog/2017-06-26-2.2.0-released/](https://keepassxc.org/blog/2017-06-26-2.2.0-released/)

Then it's not clear for me how this works exactly.

------
Aissen
I've been using password managers for while now, but I've recently discovered
pass-rotate: [https://github.com/SirCmpwn/pass-
rotate](https://github.com/SirCmpwn/pass-rotate)

It's basically a rotation manager ! Very powerful and lets you properly change
your passwords regularly on many websites (like the proprietary Dashlane
Password Changer or Lastpass' similar feature).

~~~
Sir_Cmpwn
I'm glad you like it! Please send patches with support for new services :)

------
adtac
Isn't copying the password to clipboard a vulnerability?

I think a better idea would be to fill in the password through something like
xdotool

~~~
thecopy
Password managers clear the clipboard after 1 minute or so.

~~~
painted
there are so many clipboard listeners out there :D so the fact that you clear
the clipboard doesn't really matter

~~~
reificator
Clearing the clipboard protects against the user.

A password manager effectively can't protect against other applications on the
same machine. IMO that makes the universality of the clipboard more valuable
than the safety of using alternate input methods.

Though since there are plenty of things that block pasting passwords, those
alternate options are appreciated.

~~~
painted
to be honest, I can trust myself with clipboard but not what is running on my
machine.

~~~
StavrosK
Then you can't use that machine. Not with a password manager, not without.

~~~
painted
so you know and trust every piece of software that is running on your machine?

~~~
notheguyouthink
I think the point in discussions like these is, what is the alternative? Ie,
add value to the discussion, not argue over semantics. Arguing that everything
(or this thing) sucks is.. non constructive. What do you see as better
alternatives?

I agree completely, the clipboard is non-trusted. Yet the fact remains, how
can we transmit an arbitrary string from a secure app like a password store,
to another app in need of authorization? Lets build constructive
conversations.

------
wallunit
I wrote a similar password manager (without knowing that pass already exists):
[https://github.com/snoack/mypass](https://github.com/snoack/mypass)

But I ended up storing everything into one single encrypted file, rather than
having one file per password. Though I see the point about the UNIX philosophy
(i.e. "everything is a file"), but that way you'd leak information, i.e. what
the passwords stored are for.

Anyway, I'd appreciate any feedback on mypass.

~~~
Galanwe
You miss the point. Having multiple files is not a matter of Unix philosophy.
Pass works with GPG keys... Multiple of them! The pass repository is to be
shared among your team, so every file can be encrypted for a different,
specific set of keys/users.

------
ben0x539
I've seen pass mentioned like a million times but I didn't realize there were
so many third party extensions for it, the comments here are pretty helpful.
Thanks for the submission!

------
rkeene2
Related: hunter2[0], a password manager which uses a smartcard to manage the
keys for each password, and supports multiple users.

[0]
[https://chiselapp.com/user/rkeene/repository/hunter2/](https://chiselapp.com/user/rkeene/repository/hunter2/)

------
zabil
I started with pass and switched to gopass because it automatically pushes new
passwords to your remote git repository.

I use a fish script to hook it up to
[https://github.com/junegunn/fzf](https://github.com/junegunn/fzf) for easy
search and copying to the clipboard.
[https://github.com/zabil/thanksforallthefish/blob/6145e98691...](https://github.com/zabil/thanksforallthefish/blob/6145e98691312361a18cfcdb6eaaf7b2f0a13fce/p.fish)

~~~
burnbabyburn
you could already do that with git hooks and pass

    
    
        .git/hooks/post-commit
    
        #!/bin/sh
        git push origin master

------
nickjj
I've been using pass for a long time now. I have over 200 passwords stored.

I like it because you can use it to store sensitive info along with metadata,
not just single field passwords. It's also super easy to access the info on
the command line with ways to auto-copy passwords to your clipboard (which
expires after 45 seconds).

I did a write up on it a while back at
[https://nickjanetakis.com/blog/managing-your-passwords-on-
th...](https://nickjanetakis.com/blog/managing-your-passwords-on-the-command-
line-in-linux-with-pass).

~~~
amelius
How do you deal with multiple devices? Do you sync your password files
regularly between them?

~~~
jbg_
I use Git; pass has integration with it out of the box (makes a commit for
each change to the password store). I just push and pull periodically myself,
but this could be automated. There is an Android app called Password Store
that is compatible with pass and has Git integration built in.

I remember seeing some guy who had his `pass` Git repository public on GitHub
and challenged the world to crack any of them. Myself, it's just git+ssh to a
repository on my own server.

------
alexnewman
I use pass on all my devices. IOS, chromebook and cli. I freaking love it!
passforios is still on testflight but so good. Only a few issues with
passforios:

\- It forgets my github password everytime i upgrade \- I honestly don't like
the fact that I can't turn off the pin. 4 digits with unlimited retries. \- It
can't merge sometimes. I think they should be more aggressive about git rebase

~~~
mmagin
Thanks for mentioning it. I previously couldn't have my passwords available
from my phone.

I created a seperate ssh key and did this on my server
[https://superuser.com/a/444899](https://superuser.com/a/444899)

------
Accacin
I'm currently a Lastpass user. I know, trusting them to store my passwords is
probably not a great idea but it works on Windows, macOS and Linux and my
iPhone with no problems at all.

Would I like to move to something that isn't stored online? Yes, of course but
I haven't found a decent solution that works everywhere.

Any recommendations?

------
darrmit
I think pass is awesome if you have the workflow that supports it, but for the
vast majority (myself included) it's entirely too difficult to setup and
maintain. Particularly if you're using Windows regularly.

~~~
aeorgnoieang
_Setup_ is a bit of a pain, but what workflow is required? I just keep a
Cygwin window or a Bash on Ubuntu on Windows window open and tab over when I
need a password. With the shell auto-completion I find it easier to use than
other password managers, tho I prefer not using my mouse so I'm surely biased
about that aspect.

I was previously using Password Safe, on Windows, and various compatible
alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe'
synced via Dropbox but that was a big pain in the ass because sometimes I'd
inadvertently lock the safe file by, e.g. starting to add a new password but
not finishing. So instead I created a separate safe file for each computer or
device. To sync new passwords or changes to existing passwords I'd have to
periodically merge all of the safes and manually cleanup any conflicts between
them.

The main reason why I switched to Pass is that syncing the password stores on
each of my devices is so much easier using Git.

~~~
darrmit
Well, I'm talking from a non-developer perspective. I don't use Git daily, so
I had to stand up my own Git instance or pay Github for a private repo.

PassFF works well for Firefox on my Mac, but no equivalent for Windows. If
you're willing to forgo browser integration then that's less of an issue.

Lack of browser integration might also be less of an issue in Linux with dmenu
or rofi plugins like others have mentioned, but that still doesn't solve
Windows issues.

I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but
haven't tried it yet.

~~~
bqe
Both Bitbucket and Gitlab have free private repos.

~~~
darrmit
Thanks for the tip. Didn't think to check anywhere other than Github, just
defaulted to standing up an Ubuntu server.

------
lower
I've been using this for a while and am very happy. Especially the ability to
use a private git repository for synchronization of laptop and desktop makes
this convenient.

------
tobias2014
If you're using XMonad, you definitely want to use the pass addon in the
xmonad-contrib package: [https://hackage.haskell.org/package/xmonad-
contrib-0.13/docs...](https://hackage.haskell.org/package/xmonad-
contrib-0.13/docs/XMonad-Prompt-Pass.html)

I would claim that there isn't a more convenient password management solution
than this.

~~~
xiaomai
If you're not using XMonad, 'passmenu' is a really handy way to get your
passwords. I bind it to ctrl-alt-p and rarely run pass manually now.

------
leighflix
Alright guys, I tried using this as I was curious, and miserably failed.

Found out I needed GPG, and some encryption key or ID and whatnot. I have no
clue what these things are and would like to know.

How can I learn about this encryption stuff like keys and RAS and whatnot?
(Books n Articles)

~~~
jolmg
Archlinux wiki typically have very good guides:

[https://wiki.archlinux.org/index.php/GnuPG](https://wiki.archlinux.org/index.php/GnuPG)
[https://wiki.archlinux.org/index.php/Pass](https://wiki.archlinux.org/index.php/Pass)

The simplest way to create your gpg-id is with:

$ gpg --gen-key

Fill in your name and email in the prompts. When it tells you it needs to
generate a lot of random bytes, you'll probably want to do something like

$ find /

to generate disk entropy for gpg to pull enough random bytes from /dev/random
to create your keys.

You can use the email you provided as the gpg-id you give to pass

$ pass init $email

------
qrv3w
For those interested, I've been working on something similar but for journal
entries instead of passwords. [1]

[1]: [https://github.com/schollz/gojot](https://github.com/schollz/gojot)

------
tuxninja
If anyone needs a quick tutorial on pass I wrote about some it's features a
while back [http://tuxlabs.com/?p=450](http://tuxlabs.com/?p=450)

------
amelius
Anybody else here simply hashing their master password with the domain name of
the website?

I think this is something the browser should offer by default.

~~~
hiq
If your master password leaks you are exposed on every website where you used
this scheme (and you should then change every password), so on the security
side this is inferior to a master password granting access to uncorrelated
passwords.

~~~
amelius
Well, you can add a salt to this scheme.

I know, it's not perfect, but it beats carrying around password files between
devices.

~~~
jbg_
But you would just need to carry the salt around instead. You're just trading
convenience for (significantly) lower security.

~~~
amelius
Yes, it's a trade-off.

By the way, I'd prefer to have a password manager on my phone (or smartwatch),
and have it beam my password to my keyboard by NFC. But this solution does not
exist yet.

------
homakov
Did anyone here NOT write their own pw manager?

------
molsson
Implemented as 700 lines of shell script?! Why?

------
leshow
I've used pass for years, it's great.

------
thesmallestcat
No, no it's not.

~~~
mdekkers
Why?

~~~
thesmallestcat
"standard Unix $THING" has meaning beyond marketing-speak.
[https://en.wikipedia.org/wiki/Single_UNIX_Specification](https://en.wikipedia.org/wiki/Single_UNIX_Specification)

------
hasenj
If it becomes standard, people would use it without a master password, and
then stealing passwords via malicious scripts will become very easy.

~~~
Sir_Cmpwn
What? How does this follow?

~~~
deong
Well, I guess if you had no master password, any script you expect people to
run could have a surreptitious "pass <some args> | curl" to post password data
to some web service of your choosing.

Still, if you use a password manager without a master password, I don't think
you can be protected from consequence, regardless of what your tools do. Pass
could refuse to allow the no master password scenario, or could force some
type of blatant user interaction to allow it to work, but ultimately, that
user is screwed by something somewhere.

