Hacker News new | comments | show | ask | jobs | submit login
Show HN: Passmgr – Securely store passphrases and retrieve them via commandline (godoc.org)
94 points by urld 121 days ago | hide | past | web | 40 comments | favorite

How does this compare to Pass [1]. I like its simplicity where all passwords are stored in regular files, makes it really easy to backup and move around. I have it synced between Android phone and laptop.

Only downside that I've seen users mention is that filenames are readable.

[1] https://www.passwordstore.org/

The main difference is, that passmgr uses authenticated symmetric encryption (aes-gcm) to store the contents in a single file, while pass as you already mentioned stores each secret in a separate file, using asymmetric encryption provided by gpg.

Storing secrets in separate files could leak metadata, especially when using a public git repository for synchronization between devices.

Other than that, you dont have to deal with gpg key management in passmgr.

I did something similar with a project for Node.js called nermal[1], which comes with an example called `tagaloop` that I still use to store my passwords. Even though it had a bit larger of a scope (it is a library for encrypting/decrypting arbitrary JSON with AES-GCM + scrypt + random-length-padding), one of the examples is a password manager called `tagaloop`. It did not really get the sort of traction that I hope you're going to see -- good luck! Fortunately I can still call it a success because it has made my life much easier in many cases.

We both can make different choices and that's OK, but I'm happy to see as a design point that both of our password managers are interactive loops to avoid the history management of the shell. I will say, though, that my files routinely hold way more than 4 passwords and listing them all for the user to choose by number is not really appealing: so one of the biggest things that `tagaloop` does is that it just lets you grep through them at the interactive console. You might want to consider that as a very important feature.

[1] https://github.com/drostie/nermal

gpg key management, especially hooking into gpg-agent, seems like a feature, really.

I think there are many users or who dont want to setup gpg on multiple machines. I can also imagine scenarios where it is simply not possible to setup gpg on every machine. Maybe you could workaround such scenarios with portable versions of gpg or something like yubikey.

However i like the idea of having a single binary with a minmal set of dependencies, which can be moved around easily wherever i want to use it.

As an alternative to that, written in Go and compatible to "pass", there's also https://www.justwatch.com/gopass/

IMO Filenames being readable is not really a downside. How else would you recognize which passwords you need? In any other password manager you have a reference, when using pass you simple have a directory of encrypted files with a simple interface for access. I store them under lock and passphrase, a 4096bit rsa or ed25519 key, which is on an encrypted hard drive, and only accessible by a password protected user or root.

It's Unix Philosophy at it's purest, and the reason why I use it for my password management.

It depends on how you use it. As long as the identifiers are not visible to anyone else (like you described), its okay.

But if you sync your secrets across devices, using services that are not under your control, or your device gets stolen, more information than necessary got leaked.

You should store all the passwords in one file.

I love pass! I wrote this article on how to use it with the yubikey neo https://www.drupalwatchdog.com/blog/2015/6/yubikey-neo-and-b...

> Only downside that I've seen users mention is that filenames are readable.

People have made various pass extensions, by the way, to work around this.

I have been using pass since Feb 14 2015 (according to git) now, and that is the only thing that bothered me so far. Do you have a link to these extensions? I would be interested in that.

Whenever a product like this shows up here, I find myself waiting for the security guys to show up and explain why it's terrible.

A cursory look at the code (10min on my phone) shows nothing obviously wrong. They use a secure source of entropy, and scrypt with decent parameters for generating the key from the passphrase. They use unique salts and nonces of decent lengths. That alone is better than 90% of the crypto code I review.

I would still prefer https://www.passwordstore.org/ though. I like the ability to insert a new passwd without having to type a passphrase. And it's more robust because updating 1 password only rewrites 1 file, whereas with passmgr the whole file is rewritten. This also mean the passwordstore data base is easier to revision-control and sync across multiple machines. Finally with passwordstore I can update my passphrase by simply changing it on my PGP key ("gpg --edit-key $id" and use the "passwd" command.) But with passmgr there is no mechanism to change it (every entry would have to be decrypted and re-encrypted.)

Lets wait together then. In the meantime i suggest this link: https://team-sik.org/trent_portfolio/password-manager-apps/ Almost everything seems to be terrible.

Well, there's "has bugs" and there's "terrible and worse than useless", which is what seems to be the verdict, more often than not.

"Update 2017-03-01: All reported vulnerabilities are fixed by the vendors"

Would need a whole bunch more features for me to want to switch from pass (passwordstore.org), which has already great git integration, command completion, stores arbitrary contents (not just username, password and url), a whole bunch of extensions and clients (I need an iOS client), can generate passwords, and more.

Also I think the 6 seconds for pasting the password before the clipboard is cleared is a bit too short, pass has 45 seconds which is a bit too much, maybe something between 15-30 seconds would be optimal, or better yet: Let the user configure it.

> I need an iOS client

Here you go: https://github.com/mssun/passforios

I meant that I need an iOS client as in pass has one (and I'm using it) but passmgr doesn't

You are right, the 6 second limit is on the low end. Ther is also a timeout for general inactivity which is currently set to 60 seconds. I want to make them both configurable and provide better defaults.

The storage of arbitrary secrets is definitly on my todo list.

As for the git integration i do not see the point of having it. For someone who is able to set up a remote git repo, it should be trivial to use git for synchronization, even without "git integration", since everything is stored in a single file.

I have not yet looked into browser integration or clients for mobile platforms, but maybe there is a way to integrate with existing apps/extensions.

Git integration is nice because:

- You never ever lose anything. Updated the wrong password? No problem, just `git reset`

- Having everything in it's own file let's you merge changes made on different machines (I use this all the time, I'm not keeping every machine always up-to-date). If everything's in a single file, any change would result in a hard to resolve merge conflict.

- All the other git goodness, including file history (e.g. when was the last time I changed this password), mutliple users (e.g. a shared family store), and more

While some of these are debatable and git isn't really made for binary data, I still think it's a very good fit.

You dont necessarily need "integration" to achieve this. You can always put a file under version control.

I've stole some links from https://github.com/gioele/pw to show that there are downsides to the separate files approach:



Pass has a good iOS client? Do you mind sharing the name? I toyed around with pass but this would make a nice addition to my setup.

E: quick Google and some digging later I see the situation, thanks for alerting me to this though!

Yeah it's called 'passforios'. I couldn't live without it, it's really well made as well.

I've mused that a solid "delayed clipboard clear" feature would do some kind of atomic Compare-And-Swap, because otherwise the originating program could conceivably blow away something it didn't put there.


Good point. Im going to implement this, although its probably not possible to make it an atomic operation.

On X11 you can do better: the clipboard isn't actually stored anywhere, the program requesting the paste gets the data directly from the program that claimed the clipboard.

The clipboard lib you're using just spawns xclip (or xsel) on Unix. xclip has a -loops argument that is the maximum number of pastes. So you could just spawn:

  xclip -loops 1 -in -selection clipboard
And the password would be available to paste exactly once. Unfortunately I don't think xsel has any such option.

There are clipboard manager apps that could grab the paste immediately and persist it, but I'm not sure how common they are or if they are default anywhere.

Thank you for all of your feedback.

I've already implemented some features based on your ideas:

- configurable timeouts: https://github.com/urld/passmgr/commit/069c209

- basic filter functionality: https://github.com/urld/passmgr/commit/3c4b1ed4

But i think the UI needs improvement, and core features like master passphrase updates are still missing. Also the clipboard handling could be improved (depending on the platform).

Im not sure yet, if and how browser integration or iOS/Android clients could or should work with passmgr, but if i have time i will think about it.

I wrote a bash script password manager[1]. It generates a random password, encrypts it with your gpg key, and hides it in a picture with steghide.


It was just an exercise to get better with bash, but I actually use it. It could be trivially modified to take a password instead of gpg.

It sounds like a lot of us have been making password managers recently. Here's one I made a few days ago:


It uses a file in your private Keybase directory as its datastore (so obviously depends on Keybase). As such, it eschews the need for its own master password (or more accurately, it depends on your previous authentication with your Keybase master password), and thus can operate in an individual-run basis.

It could still use a decent amount of work (e.g. option to save a credential based on a randomly generated password, etc), but I've been using it myself recently and like it quite a lot.

> It sounds like a lot of us have been making password managers recently. Here's one I made a few days ago:

> https://github.com/ojensen5115/pw/

I made one as well. Same name, totally different philosophy. ;)


Hey, that looks really cool! Definitely something I'll want to look at in more detail when I get the chance :)

I built a golang password manager a while ago, in the image of pass.

Shameless self pitch. It is a little slicker, not needing the master key to save sites.


I'd need a good reason to use this over pass. Does it have something that pass doesn't?

Featurewise, no (not yet). However i think my aproach, using a single encrypted file for all secrets is somewhat more secure as it does not leak information like what sites are managed by the password manager.

I guess you could also argue that by using AES, passmgr has the advantage of being post-quantum secure, if that is important to you.

Would it be illadvised to enable it to talk over a network to sync itself with hosts that you manually add? Or even an option to --sync to a remote git/GitHub repo?

Personally i dont see the point in integrating synchronization features for now. There are already tools which are good at synchronizing files. And since everything is stored in a single file, it should be trivial to setup sync. E.g. you could do so with an alias like: alias passmgrgit='git pull; passmgr -file xxx; git commit -a -m "updated";git push'

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact