The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.
Here's a nice tutorial on it: https://www.jfry.me/articles/2015/gpg-smartcard/
I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.
If I generate 2 subkeys, can they both encrypt and decrypt my passwords? The only difference is that I can revoke them independently?
Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.
Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)
I definitly have to try the yubikey integration !
If you do not want to synchronize your vault among all your devices, but still want to have a unique password per site, try LessPass. LessPass is a stateless open source password manager.
Disclaimer I am the creator of LessPass
One benefit of the password-protect-text-file method over Lesspass is you can also save answers to so-called "security questions" (for those sites that still use them, like Paypal and government sites).
Alternatively, one can use Schneier's write-down-password-on-a-small-piece-of-paper method.
I have all this stored in my Linux box. I backup to my server side encrypted AWS S3 bucket protected with 2FA. No need for me to sync anything, but if I need access to my VeraCrypt file, I can download it when required.
I've used this method for two decades now, first using OSX .dmg files, then TrueCrypt, now VeraCrypt. Simple, and works well.
There is still the benefit that the passwords can't be exposed by a compromise of the service. Presumably it doesn't store your master password anywhere, so all they'd get is the site and counter info.
The profile is also used to store other site-specific attributes, like if it has some weird password rule that requires pure alphanumeric or a specific password length.
This blog post shows how LessPass lets you change passwords per site, and get around tricky password requirements.
The list differences to LastPass is long.
Pass is OpenSource. Pass doesn't store your information on anybody else's computer by default. Pass has not first party browser plugin and is therefore not open to attack through browser plugin holes.
On the other hand you control everything by yourself including batch updating your passwords. And there's no online service.
There is no need to put anything on someone else's computer.
Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?
Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.
The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.
There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.
Other things I do:
* store all the files as .toml files so I can rip specific keys with a custom script.
* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.
* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.
* use syncthing to keep all devices up to date.
It's pretty slick workflow IMHO
Edit: yeah for ctmg support, probably have to hold out for something like PostMarketOS to save us.
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
To illustrate my point, look at the elaborate loop to iterate over *.gpg files: https://git.zx2c4.com/password-store/tree/src/password-store...
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
That's a bonus until you need to demonstrate FIPS 140-2 validation.
But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.
It's convenient yes, but I prefer one encrypted file that contains it all.
However keep in mind it's not always a big "issue", for instance only looking at your browser history will retrieve the same knowledge.
I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.
Pass is pretty much a glorified bash script using GPG and Git.
Adding filename encryption on top would be a nightmare, not to mention that terminal suggestions would be pretty much broken.
You can always write an (encrypted) index file that contains a simple list of all domains.
There is a concept for 'defense in depth', saying that every component should be secure on its own and not rely on other components.
In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.
The file format is git-compatible and everything can be managed with standard command line tools.
This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.
Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.
My parents don't speak English. Not everyone does.
That's what you're paying 1Password for.
The open source stuff generally stalls out after the first 90% of the functionality is there, and the second 90% of the work remains.
Encryptr uses their no-knowledge cloud. It's pretty cool and their processes are openly documented.
Search for qr on the python package index using pip. There's a module that you can pipe text to and then it'll render a qr code in your terminal using Unicode glyphs. Worked well last I tried. Don't remember what the module was called but you'll be able to find it I som sure.
I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.
That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.
But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.
With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.
i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.
Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).
pass got linux covered (both chrome and firefox), but doesn't really work for winndows.
android is really tiresome as well, as there is no way to skip my long masterpassword in favour of a fingerprint. I know, its not easy to implement that feature securely.
Today I found this, need to check it out: https://github.com/Baggykiin/pass-winmenu
Gets me really close to the holy grail of password managers. Browser integration is possible too with PassFF:
- There's no builtin GUI
- Each entry is its own file
- You control the storage format (meaning it's easy to store any kind of information, not just passwords)
- It relies on GPG, so you need to set that up first
In Keepass, there's a textarea associated with each password entry, which can be used to store extra data like security questions, etc.
pass -c (or --clip) does that for you.
Wrong, pass provides the -c flag which puts it in your clipboard and clears it after a timeout.
Of course one has to set it up, it's not an integrated solution. But GPG provides interesting features like storing encryption keys on hardware devices. Some devices like Yubikeys can have touch-to-use enabled. So each use of a secret requires a touch (after PIN but that's once a session). Perfect combination of convenience and security for me.
Do you mean this:
> YubiKey challenge-response support for strengthening your database encryption key
Then it's not clear for me how this works exactly.
It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).
I think a better idea would be to fill in the password through something like xdotool
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
The clipboard feature is helpful in pass, when I have someone standing over my shoulder or connected to a projector.
But I ended up storing everything into one single encrypted file, rather than having one file per password. Though I see the point about the UNIX philosophy (i.e. "everything is a file"), but that way you'd leak information, i.e. what the passwords stored are for.
Anyway, I'd appreciate any feedback on mypass.
I use a fish script to hook it up to https://github.com/junegunn/fzf for easy search and copying to the clipboard. https://github.com/zabil/thanksforallthefish/blob/6145e98691...
git push origin master
I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).
I did a write up on it a while back at https://nickjanetakis.com/blog/managing-your-passwords-on-th....
I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.
But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).
- It forgets my github password everytime i upgrade
- I honestly don't like the fact that I can't turn off the pin. 4 digits with unlimited retries.
- It can't merge sometimes. I think they should be more aggressive about git rebase
I created a seperate ssh key and did this on my server https://superuser.com/a/444899
If you can't that's definitely gotta be an issue in their backlog. Seems more robust to have a key for an application to connect with that you can simply revoke.
Would I like to move to something that isn't stored online? Yes, of course but I haven't found a decent solution that works everywhere.
I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.
The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.
PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.
Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.
I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.
I would claim that there isn't a more convenient password management solution than this.
Found out I needed GPG, and some encryption key or ID and whatnot. I have no clue what these things are and would like to know.
How can I learn about this encryption stuff like keys and RAS and whatnot? (Books n Articles)
The simplest way to create your gpg-id is with:
$ gpg --gen-key
Fill in your name and email in the prompts. When it tells you it needs to generate a lot of random bytes, you'll probably want to do something like
$ find /
to generate disk entropy for gpg to pull enough random bytes from /dev/random to create your keys.
You can use the email you provided as the gpg-id you give to pass
$ pass init $email
I think this is something the browser should offer by default.
I know, it's not perfect, but it beats carrying around password files between devices.
By the way, I'd prefer to have a password manager on my phone (or smartwatch), and have it beam my password to my keyboard by NFC. But this solution does not exist yet.
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.