Hacker News new | comments | show | ask | jobs | submit login
Pass: A standard Unix password manager (passwordstore.org)
406 points by jaybosamiya 12 months ago | hide | past | web | favorite | 199 comments

I've used this for a long time, and along with its Git integration (pushing/pulling to/from a repository on my own server, accessed over SSH) and a GPG key stored on a Yubikey Neo, I've got basically seamless sync between two laptops, a desktop and an Android phone, without using any third-party service.

The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.

I've got the same setup, it's pretty great. One thing, though: make sure you have another way of decrypting your passwords! I lost my Yubikey once, and I lost all my passwords. Now I have a copy of that key on a USB drive I keep at home in a small safe.

Yeah, my passwords are encrypted to two private keys. One is on the Yubikey, the other is printed and stored securely.

What's the best way to backup the private key on your yubikey? Do you just generate it on your computer instead of on your device, and then back that up?

Generally a good way to do this is via GPG subkeys. You keep your master/certifying key offline, in your safety deposit box, and load a subkey onto your Yubikey. If the Yubikey is lost, you can easily revoke the subkeys and generate new ones.

Here's a nice tutorial on it: https://www.jfry.me/articles/2015/gpg-smartcard/

Thanks for the link. I started reading through that, and it is quite involved. I'm still deciding if it's worth it.

I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.

Yes -- revocation is just an indicator of the subkey's trust going forward. Once revoked, the user would generate a new subkey and re-encrypt their password wallet. While the git features and multi-key capabilities of pass lend well to very lightweight team usage, the model is definitely best suited for use by an individual.

So a subkey is aware of all revocations from before it was generated?

If I generate 2 subkeys, can they both encrypt and decrypt my passwords? The only difference is that I can revoke them independently?

Sorry, to clarify, you need to keep a backup of all subkeys along side your master/certifying key. Data encrypted to a given subkey can only be decrypted by that same subkey.

Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.

Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)

General recommendation is to have a backup for everything on a yubi key. Two keys or printed backup codes or whatever.

The only problem I got with the password store application is that the Git integration seem to be a bit broken. It often refuse to push, pull or sync depsite having no conflict. But you just have to delete the store and pull everything again, so it's not a huge problem.

I definitly have to try the yubikey integration !

I don't think the git integration can be broken. You can go into the ~/.password-store directory yourself and see what is going on next time you have issues (it's just a regular git repo).

I use termux[1] to clone/pull my pass repo for "Password Store" on Android since I need ed25519 key support.

[1]: https://termux.com

I have the same setup, but I haven't yet been able to get the Yubikey Neo to work as a GPG key on android via NFC. It prompts for a PIN, but the PIN I use for GPG on linux isn't accepted. There's also no working windows client for this setup, so I find I have to manually copy a lot of 20 character complex passwords by hand these days.

Interesting. The same PIN that I use to unlock the card on my laptops works on my phone. I'm not sure what would lead to the behaviour you describe!

I share a pass git repo between a Mac and a Windows machine. GPG4Win works fine on Windows.

I use Msys2 on Windows which then lets me install GPG and Pass from its package manager.

Why doesn't it work? From the top of my head, QtPass with gpg4win should work.

I recommend using Pass or Keepass, because we can see the source code. But like all these password managers, you need to synchronize your password vault.

If you do not want to synchronize your vault among all your devices, but still want to have a unique password per site, try LessPass[1]. LessPass is a stateless open source password manager.

Disclaimer I am the creator of LessPass

[1] https://lesspass.com/

Lesspass seems nice but how about keeping all passwords in a .txt file and password protecting that file?

One benefit of the password-protect-text-file method over Lesspass is you can also save answers to so-called "security questions" (for those sites that still use them, like Paypal and government sites).

Alternatively, one can use Schneier's write-down-password-on-a-small-piece-of-paper method.


This method works very well. I have one large text file containing all my credentials, stored in a an encrypted VeraCrypt file.

I have all this stored in my Linux box. I backup to my server side encrypted AWS S3 bucket protected with 2FA. No need for me to sync anything, but if I need access to my VeraCrypt file, I can download it when required.

I've used this method for two decades now, first using OSX .dmg files, then TrueCrypt, now VeraCrypt. Simple, and works well.

I suppose the main pain with this method would be accessing the passwords on other devices. For example, I'd prefer to be able to copy/paste password on my phone, instead of referring to another computer and typing it in one random character at a time.

https://ss64.com/pass/ Is similar to LessPass but is entirely javascript in the browser, so you can save the page and run a local copy completely offline or upload to your own website. Theres also a command line version for both bash and PowerShell https://ss64.com/pass/command-line.html

Disclaimer: stateless/deterministic password managers have some serious flaws compared to stateful/vault password managers. See https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw... for example

This is pretty brilliant. My biggest concern is that if my password for a site gets compromised, it gets a lot more complicated. Presumably I'd have to memorize a separate master password for retrieving the new password for that site.

They have a counter option that you can increment which allows you to generate a completely different password for the same site.

But once you did that it wouldn't be stateless anymore as you'd need to connect to their server every time to check on the state of that site's password. This makes it not that much different from traditional online managers where you have to connect to the site to retrieve the password.

There is still the benefit that the passwords can't be exposed by a compromise of the service. Presumably it doesn't store your master password anywhere, so all they'd get is the site and counter info.

You also have the option save this profile db locally, or store it yourself manually in a txt file if you really care. That's also necessary if a certain site has password restrictions.

True. You'd have to connect to their server or your own self-hosted LessPass to get your saved profile.

But then you have to remember the counter setting for that website. So it's almost the same problem; I could just add a 1 to the end of my master password for that website.

I've just installed it and haven't yet used it, but as far as I can tell from the docs, the counter is stored as part of the syncable profile for a site.

The profile is also used to store other site-specific attributes, like if it has some weird password rule that requires pure alphanumeric or a specific password length.

No, the counter would be saved by LessPass. Every time you look up the password for that site, it'll already know what the counter is set to for that site.

This blog post[0] shows how LessPass lets you change passwords per site, and get around tricky password requirements.

[0] https://blog.lesspass.com/lesspass-how-it-works-dde742dd18a4

This appears to be very similar to MasterPassword. Do you have a minute to explain to me what advantages LessPass offers?

[1] http://masterpasswordapp.com/

Not at all. While Masterpassword does not save any passwords but generates it based on some unique parameters live - pass stores passwords and notes encrypted with GPG in a git repository.

The list differences to LastPass is long.

Pass is OpenSource. Pass doesn't store your information on anybody else's computer by default. Pass has not first party browser plugin and is therefore not open to attack through browser plugin holes.

On the other hand you control everything by yourself including batch updating your passwords. And there's no online service.

I use KeePass and I only keep the database on my phone. When I need the database on my laptop, I use kdeconnect to share the file. Which basically uses sftp with a temporary key.

There is no need to put anything on someone else's computer.

Pass is pretty awesome, but nowadays I've switched to gopass: https://github.com/justwatchcom/gopass - much better support for teams, structured secrets, binary secrets and quite a few other improvements. Oh, and it's (mostly) drop-in compatible.

Looks nice. Unfortunately I would never use it for teams as it doesn't have audit logs. These are very useful in case a user is compromised - you can lookup which passwords he accessed and only change those. Same goes if the user left the team and u want to make sure all accesses are revoked.

For teams, I almost always go with Vault (http://vaultproject.io/)

My impression of Vault is that it is more useful for automated situations. How useful is it as a shared password manager? Do you have non-technical folks using it? And if so, how are they interacting with the vault?

No purely non-technical individuals as far as I know, but there are a number of non-developer analysts using it who wouldn't otherwise have much exposure to a console. The flexibility of the access policies and the ability for users to easily/securely share secrets under a path with only their team and be able to have multiple policies for multiple teams all under one roof far outweighs any minor struggle during initial adoption.

Sounds like a great idea for a side project. Build a user friendly interface that leverages a remote vault server on the backend. It's primary use case if definitely for applications.

There are a handful of web-based UIs that have been built. And I believe Hashicorp offers one with their enterprise product. But from what I can gather they all still have a bit more of a learning curve than your average password manager.

Wouldn't Keybase's secret shares be better?

I really like the idea of vault I just haven't been able to figure out how to setup consul ACLs correctly to use vault on top of it

"you can lookup which passwords he accessed"

Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?

Yep. Or saves the plaintext of the password elsewhere after using it once for a "legit" use.

Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.

Thats the whole point of audit logs. You lookup the passwords he accessed and only rotate those (vs rotating all of team's shared secrets because you dont know which ones he used/saved/etc).

You're missing the point. The software has no way to tell if a compromised user looked at certain passwords out of band. The audit logs aren't guaranteed to be complete, so you should rotate every key they could have accessed anyway.

No it actually is not the whole point. Security is never convenient. If you do not have an active password rotation automated for all accounts, even shared, then you should be more worried about an employee reporting you to compliance officers. #justsaying

Huh? Its not reasonable to expect automated password rotation for all shared secrets, especially for external services that a team could use. Some passwords will always need to be rotated manually.

Thats why password managers that do support audit logs (normally) do not provide this kind of mechanism of manually decrypting the file. The only way of accessing passwords would be through whatever interface they came up with.

The password manager of course does not "provide" such a mechanism (I imagine providing a "bypass audit logs" button would not be a popular feature). But if you know the key (the master password, or some derivative of it) and you have the ciphertext then you will be able to get the plaintext.

The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.

The whole point of the discussion was to highlight a feature that I was missing here - ability to audit who accessed what.

There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.

I use pass and love it. It provides a lot of flexibility. To fix the "website metadata is leaked in filenames" issue, I use another project by Jason, ctmg[0]. I changed the pass directory to be one directory deeper, encrypted it and just do `ctmg open` when I boot to open my password list (similar to unlocking a keypassX store) then use pass as normal. On shutdown, the opened folder is re-encrypted automatically. You could also set a ctmg close on a timer if you don't want the list to be available during your entire session after open.

Other things I do:

* store all the files as .toml files so I can rip specific keys with a custom script.

* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.

* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.

* use syncthing to keep all devices up to date.

It's pretty slick workflow IMHO

[0] https://git.zx2c4.com/ctmg/about/

Since pass supports extension, you can make your setup less complex using pass-tomb. 'pass-tomb' keep the whole tree of password encrypted inside a tomb, see https://github.com/roddhjav/pass-tomb

Nice to hear somebody out there is using ctmg. I never bothered making packages for distros other than Gentoo, but ctmg is quite useful so maybe I'll do that.

Cheers. Yeah for sure, I was too lazy to make a PR on nixpkgs, but this[0] is what I wrote if anyone stumbles on this using NixOS. The nix package manager can be installed on top of most OS's too.

[0]: https://pastebin.com/raw/FYMean1q

looks like a nice setup, but what about mobile?

Syncthing has a mobile app and there's an app for pass called PasswordStore[0] using OpenKeychain[1] (pgp manager). I'm not a fan of putting my private key on my mobile, but if I were, this would be a nice setup.

[0]: https://github.com/zeapo/Android-Password-Store

[1]: https://github.com/open-keychain/open-keychain

Edit: yeah for ctmg support, probably have to hold out for something like PostMarketOS to save us.

You don't need to put your private key on a mobile device. You can create a separate key for each device. Pass supports multiple keys.

If your phone has NFC you can use a YubiKey to store the gpg key and decrypt the password via NFC.

yes, I saw this for pass, but I was referring to his setup where he uses ctmg also

Note that pass was developed (and is maintained) by Jason Donenfeld (zx2c4), the same person who developed Wireguard, the new VPN protocol.

Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.

FWIW, the source code looks fairly solid to me, considering that it's a bash script meant to be used on trusted inputs.

To illustrate my point, look at the elaborate loop to iterate over *.gpg files: https://git.zx2c4.com/password-store/tree/src/password-store...

This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).

From what I can tell, the code quality is way better than what you see in your average bash script.

> Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.

That's a bonus until you need to demonstrate FIPS 140-2 validation.

GPG is FIPS 140-2 compliant (though pass itself might not be, depending on the specific way it's used). Most likely pass would have to use GPG in a specific FIPS-compliant mode to pursue validation.

GPG has a FIPS mode that will use FIPS 140-2 primitives.

But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.

I don't like the fact someone with access to my hard-drive can figure out all the services I'm using just by looking at the filenames.

It's convenient yes, but I prefer one encrypted file that contains it all.

This "issue" has been fixed with the pass extension 'pass-tomb' that keep the whole tree of password encrypted inside a tomb

See https://github.com/roddhjav/pass-tomb

However keep in mind it's not always a big "issue", for instance only looking at your browser history will retrieve the same knowledge.

I mount my pass dir with encfs. Mount when I need access to passwords, and no need to remember to close it before I shut down (or if the machine randomly crashes).

I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.

Oh well... I wonder why they didnt make something like this the default.


Pass is pretty much a glorified bash script using GPG and Git.

Adding filename encryption on top would be a nightmare, not to mention that terminal suggestions would be pretty much broken.

> not to mention that terminal suggestions would be pretty much broken

You can always write an (encrypted) index file that contains a simple list of all domains.

Storing all that information in plaintext just to make terminal suggestions easier to implement sounds shortsighted to me.

This shouldn't really be an issue if you're using full disk encryption.

That seems like saying why use an encrypting password manager at all if you're using full disk encryption, isn't it okay to just keep your passwords in plaintext on your encrypted disk?

Not if you use cloud backup or get a virus.

This isn't how real security works.

There is a concept for 'defense in depth', saying that every component should be secure on its own and not rely on other components.

Encryption only protects files at rest. The vast majority of attacks are against live systems connected to a network, where full disk encryption won't help you one bit. It is a nice extra layer of protection for when a device is lost/stolen, but I don't consider it a primary form of protection for any important data.

Check out pw, my alternative to pass, designed because of the reason you mentioned: I don't want my password manager to leak the list of services I use.


In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.

The file format is git-compatible and everything can be managed with standard command line tools.

yeah, from a security point of view it's similar to have one file or multiple ones encrypted with the same key

It's not. When you decrypt one file you have all of your passwords in-memory (terminal, clipboard, browser extension, qtpass). When you do that for one login/password pair you only expose that pair, not all of the others.

When you decrypt, you have the key in memory in either case. Assuming you don't put all the password into an untrustworthy output (terminal, clipboard, etc), what's the difference ?

With all the discussion about 1password and its decision to "more or less" move to the web and a subscription based model, I had a TODO to look at what the open source community had; especially regarding browser plug-ins, mobile apps, etc. I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.

This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.

> I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.

Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.

Exactly. You're paying 1Password to maintain the various apps and browser plugins. Continuing to improve UX and add language support.

My parents don't speak English. Not everyone does.

That's what you're paying 1Password for.

I wish people would pay pass (or some other auditable open source software team) for this sort of thing instead.

The situation is particularly painful for security critical software like password managers and disk encryption. Commercial software could be keeping a rot-13 copy of the database on an anonymous ftp server for all I know (or, worse, be written for a leaky JavaScript sandbox).

The open source stuff generally stalls out after the first 90% of the functionality is there, and the second 90% of the work remains.

spider oak has a nice one for non-technical users, https://spideroak.com/personal/encryptr.

Encryptr uses their no-knowledge cloud. It's pretty cool and their processes are openly documented.

This does seem attractive. Any feedback on iOS client passforios it's MIT licensed? And how is sync done,itunes?

I haven't used the iOS client, but on Android the most common way to sync is to use your own Git repository accessed over SSH. You could use a private GitHub repo or one on your own server.

same on iOS it authenticates to your git repo either with password or SSH key. The only "complexity" in setting the app up is giving your public and private GPG keys to the iOS app (you can transfer them using itunes - there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials)

> there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials

Search for qr on the python package index using pip. There's a module that you can pipe text to and then it'll render a qr code in your terminal using Unicode glyphs. Worked well last I tried. Don't remember what the module was called but you'll be able to find it I som sure.

I love Pass, but the problem I've had is that I always feel like I have to spend a bunch of time setting it up when I'm on Windows.

I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.

That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.

It's somewhat easier with Bash on Ubuntu on Windows, tho kinda broken (because the copy to clipboard feature doesn't work out of the box unless you're running an X server).

But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.

With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.

That's good to know. I'll add support for clip.exe with the next pass version. Send an email to the mailing list to remind me?

the nonexistent browser support makes it even more troublesome to setup. there is some support on linux systems, but windows is plain out of luck

i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.

Please understand that browser integration is the Achilles' Heel of password managers. While you get the convenience of autofill, you're also bringing access to your password database into the browser's attack surface. Bugs in the browser sandbox or improper extension implementations can allow rogue sites to get the goods. There have been multiple instances of major password manager extensions leaking secrets just in the last year.

Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).

I agree that browser integration is troublesome. To circumvent having to use a browser extension I use rofi-pass[0] which is a external script (using rofi/dmenu and pass), so no browser integration. But it features autofill which is extremely convenient.

[0] https://github.com/carnager/rofi-pass

Also using rofi-pass, really it's better than browser integration. Especially if you bind it to a hotkey.

yes, as i said before. there is some support for linux systems. i'm using both linux and windows as well as android. my password manager will need to support and autofill on all environments with at least firefox and chrome.

pass got linux covered (both chrome and firefox), but doesn't really work for winndows.

android is really tiresome as well, as there is no way to skip my long masterpassword in favour of a fingerprint. I know, its not easy to implement that feature securely.

If you want passwords automatically inserted why not just use the browser's features that do that? I do that for some sites.

it is not as secure

Looks like the iOS app supports browser autofill and there's a Firefox plugin.

Exactly my problem.

Today I found this, need to check it out: https://github.com/Baggykiin/pass-winmenu

Using this and something like rofi-pass:


Gets me really close to the holy grail of password managers. Browser integration is possible too with PassFF:


For me, browser integration is an anti-feature for password managers.

I prefer to trust the browser integration than to trust the clipboard.

Browser integration just means you trust the plugins that provide browser integration. May not always be secure. With the recent trend of popular browser extensions being made adware after purchasing them I wouldn't always trust them. A time out clipboard is sufficient for me.

That's true, but the GP posted a link to the source of the browser plugin, which is to assume that could be avoided in this case.

Pass/gopass really needs a good browser integration add-on. I have not found one that doesn't have some minor bug or issue.

How does this compare to other popular solutions? Specifically, KeepassX / Keepass2 which are the most common solutions I've seen most Unix / Linux users employ. Can we objectively state which one is a better solution?

Objective difference: KeePass encrypts the names of the websites where you have accounts. I would not want to live without this feature.

A few differences:

- There's no builtin GUI

- Each entry is its own file

- You control the storage format (meaning it's easy to store any kind of information, not just passwords)

- It relies on GPG, so you need to set that up first

> - You control the storage format (meaning it's easy to store any kind of information, not just passwords)

In Keepass, there's a textarea associated with each password entry, which can be used to store extra data like security questions, etc.

> You need to handle X integration yourself by piping to xclip, or similar (or just cut and pasting from terminal)

pass -c (or --clip) does that for you.

>- You need to handle X integration yourself by piping to xclip, or similar (or just cut and pasting from terminal)

Wrong, pass provides the -c flag which puts it in your clipboard and clears it after a timeout.

So it does, yes. I forgot about that, since I needed to write my own wrapper to paste both username and password (stored on separate lines) anyway. Thank you for the correction, I'll update my post.

There is also QtPass (GUI around pass), and various browser extensions (e.g. BrowserPass).

Of course one has to set it up, it's not an integrated solution. But GPG provides interesting features like storing encryption keys on hardware devices. Some devices like Yubikeys can have touch-to-use enabled. So each use of a secret requires a touch (after PIN but that's once a session). Perfect combination of convenience and security for me.

KeepassXC now supports YUBIkey now.

Well "supports" is a very broad term given that yubikey supports multiple applets (OpenPGP, PIV, U2F, static passwords etc.).

Do you mean this:

> YubiKey challenge-response support for strengthening your database encryption key

From https://keepassxc.org/blog/2017-06-26-2.2.0-released/

Then it's not clear for me how this works exactly.

Pass encrypted passwords are kept in your computer, which I find safer than web based solutions. Optionally you can use git to share passwords between computers but you still need the gpg2 keys from the original repo.

Huh? Keepass is just an encrypted XML file. No GPG or remote storage required.

You can setup a password store with Pass to use multiple keys – much better than sharing keys among multiple devices.

I've been using password managers for while now, but I've recently discovered pass-rotate: https://github.com/SirCmpwn/pass-rotate

It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).

I'm glad you like it! Please send patches with support for new services :)

Isn't copying the password to clipboard a vulnerability?

I think a better idea would be to fill in the password through something like xdotool

The clipboard's biggest vulnerability is the user themselves, but most password managers automatically clear their own entries after a customizable timeout.

Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.

It's trivial to script if you want (either by modifying the rather simple pass script itself or by wrapping around it).

Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.

pass also tries to clear the clipboard after 45 seconds.

But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.

Password managers clear the clipboard after 1 minute or so.

What about clearing after one instance of 'paste'?

there are so many clipboard listeners out there :D so the fact that you clear the clipboard doesn't really matter

Clearing the clipboard protects against the user.

A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.

Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.

to be honest, I can trust myself with clipboard but not what is running on my machine.

Then you can't use that machine. Not with a password manager, not without.

so you know and trust every piece of software that is running on your machine?

I think the point in discussions like these is, what is the alternative? Ie, add value to the discussion, not argue over semantics. Arguing that everything (or this thing) sucks is.. non constructive. What do you see as better alternatives?

I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.

> so you know and trust every piece of software that is running on your machine?

Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.

If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.

If your system has been compromised and a clipboard listener is running, you may have more problems.

I'm not particularly worried about other applications on my computer listening to the clipboard. But I 99% of the time I'm pasting into a webpage in Chrome or Firefox. Can any open tab sniff the clipboard passively?

No, webpages get to the contents of clipboard only after explicit user interaction.

On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.

If you are truely worried about that, you ought to be using 2FA.

The clipboard feature is helpful in pass, when I have someone standing over my shoulder or connected to a projector.

I wrote a similar password manager (without knowing that pass already exists): https://github.com/snoack/mypass

But I ended up storing everything into one single encrypted file, rather than having one file per password. Though I see the point about the UNIX philosophy (i.e. "everything is a file"), but that way you'd leak information, i.e. what the passwords stored are for.

Anyway, I'd appreciate any feedback on mypass.

You miss the point. Having multiple files is not a matter of Unix philosophy. Pass works with GPG keys... Multiple of them! The pass repository is to be shared among your team, so every file can be encrypted for a different, specific set of keys/users.

Related: hunter2[0], a password manager which uses a smartcard to manage the keys for each password, and supports multiple users.

[0] https://chiselapp.com/user/rkeene/repository/hunter2/

I started with pass and switched to gopass because it automatically pushes new passwords to your remote git repository.

I use a fish script to hook it up to https://github.com/junegunn/fzf for easy search and copying to the clipboard. https://github.com/zabil/thanksforallthefish/blob/6145e98691...

you could already do that with git hooks and pass


    git push origin master

I've been using pass for a long time now. I have over 200 passwords stored.

I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).

I did a write up on it a while back at https://nickjanetakis.com/blog/managing-your-passwords-on-th....

How do you deal with multiple devices? Do you sync your password files regularly between them?

I use Git; pass has integration with it out of the box (makes a commit for each change to the password store). I just push and pull periodically myself, but this could be automated. There is an Android app called Password Store that is compatible with pass and has Git integration built in.

I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.

I use Dropbox but I also use git-remote-gcrypt[0] to encrypt the entire Git repo so that even the file names and sub-directories don't leak outside any of my computers or devices.

[0]: https://github.com/spwhitton/git-remote-gcrypt

As others have mentioned, git / dropbox works well for this.

But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).

Things like dropbox should be perfect for this, since the files are encrypted you don't need to trust anybody

I've seen pass mentioned like a million times but I didn't realize there were so many third party extensions for it, the comments here are pretty helpful. Thanks for the submission!

I use pass on all my devices. IOS, chromebook and cli. I freaking love it! passforios is still on testflight but so good. Only a few issues with passforios:

- It forgets my github password everytime i upgrade - I honestly don't like the fact that I can't turn off the pin. 4 digits with unlimited retries. - It can't merge sometimes. I think they should be more aggressive about git rebase

Thanks for mentioning it. I previously couldn't have my passwords available from my phone.

I created a seperate ssh key and did this on my server https://superuser.com/a/444899

You should be able to generate an SSH key that you can use in your application, right?

If you can't that's definitely gotta be an issue in their backlog. Seems more robust to have a key for an application to connect with that you can simply revoke.

Pass for iOS is now on the App store

I'm currently a Lastpass user. I know, trusting them to store my passwords is probably not a great idea but it works on Windows, macOS and Linux and my iPhone with no problems at all.

Would I like to move to something that isn't stored online? Yes, of course but I haven't found a decent solution that works everywhere.

Any recommendations?

I think pass is awesome if you have the workflow that supports it, but for the vast majority (myself included) it's entirely too difficult to setup and maintain. Particularly if you're using Windows regularly.

Setup is a bit of a pain, but what workflow is required? I just keep a Cygwin window or a Bash on Ubuntu on Windows window open and tab over when I need a password. With the shell auto-completion I find it easier to use than other password managers, tho I prefer not using my mouse so I'm surely biased about that aspect.

I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.

The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.

Well, I'm talking from a non-developer perspective. I don't use Git daily, so I had to stand up my own Git instance or pay Github for a private repo.

PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.

Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.

I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.

Both Bitbucket and Gitlab have free private repos.

Thanks for the tip. Didn't think to check anywhere other than Github, just defaulted to standing up an Ubuntu server.

I use a 'remote' repo in Dropbox (and I use git-remote-gcrypt so that the remote repo is fully encrypted, i.e. even file and directory names), so you don't strictly need your own server.

I've been using this for a while and am very happy. Especially the ability to use a private git repository for synchronization of laptop and desktop makes this convenient.

If you're using XMonad, you definitely want to use the pass addon in the xmonad-contrib package: https://hackage.haskell.org/package/xmonad-contrib-0.13/docs...

I would claim that there isn't a more convenient password management solution than this.

If you're not using XMonad, 'passmenu' is a really handy way to get your passwords. I bind it to ctrl-alt-p and rarely run pass manually now.

Alright guys, I tried using this as I was curious, and miserably failed.

Found out I needed GPG, and some encryption key or ID and whatnot. I have no clue what these things are and would like to know.

How can I learn about this encryption stuff like keys and RAS and whatnot? (Books n Articles)

Archlinux wiki typically have very good guides:

https://wiki.archlinux.org/index.php/GnuPG https://wiki.archlinux.org/index.php/Pass

The simplest way to create your gpg-id is with:

$ gpg --gen-key

Fill in your name and email in the prompts. When it tells you it needs to generate a lot of random bytes, you'll probably want to do something like

$ find /

to generate disk entropy for gpg to pull enough random bytes from /dev/random to create your keys.

You can use the email you provided as the gpg-id you give to pass

$ pass init $email

This is a great tutorial in setting up pass on multiple accounts: https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf...

For those interested, I've been working on something similar but for journal entries instead of passwords. [1]

[1]: https://github.com/schollz/gojot

If anyone needs a quick tutorial on pass I wrote about some it's features a while back http://tuxlabs.com/?p=450

Anybody else here simply hashing their master password with the domain name of the website?

I think this is something the browser should offer by default.

If your master password leaks you are exposed on every website where you used this scheme (and you should then change every password), so on the security side this is inferior to a master password granting access to uncorrelated passwords.

Well, you can add a salt to this scheme.

I know, it's not perfect, but it beats carrying around password files between devices.

But you would just need to carry the salt around instead. You're just trading convenience for (significantly) lower security.

Yes, it's a trade-off.

By the way, I'd prefer to have a password manager on my phone (or smartwatch), and have it beam my password to my keyboard by NFC. But this solution does not exist yet.

As the other commenter pointed out, you need to carry your salt with you to deduce the actual password. On top of that, you need to keep your salt secret, otherwise it is trivial to deduce your password. So your system [password = hash(master password, salt, domain)] is exactly the same as a master password protecting several other ones. Just use your salt as a password directly at this point...

Such ideas are already implemented in deterministic password managers (erm generators) which have a some key security issues related to portablility and weaker schemes that can be hacked and if your master password is compromised or insecure. A bad idea in my opinion.

How do you rotate passwords?

Yes, I do something like this, along with storing the password requirements and username/domain in localStorage and allowing it to sync between devices: https://webpass.rkeene.org/

What about websites that require to have special characters in your password, since the hash is just HEX? What about multiple accounts on the same website, same password?

A hash is a value. You don't have to encode it in hex.

typically the hashes are represented as a sequence of hexadecimal digits, just as an example md5 and sha265

Hash value is just a value picked out of some domain. For most hashes this domain is Z_{2^n} with n usually divisible by 8. It is then convenient to represent that as hexadecimal number, but there is nothing special about that particular encoding. For purpose of generating secure password you can even use said hash as seed for CSPRNG and then use it for FIPS 181 random password generator algorith or something similar.

Did anyone here NOT write their own pw manager?

Implemented as 700 lines of shell script?! Why?

I've used pass for years, it's great.

No, no it's not.

Ed is the standard password manager.


"standard Unix $THING" has meaning beyond marketing-speak. https://en.wikipedia.org/wiki/Single_UNIX_Specification

If it becomes standard, people would use it without a master password, and then stealing passwords via malicious scripts will become very easy.

What? How does this follow?

Well, I guess if you had no master password, any script you expect people to run could have a surreptitious "pass <some args> | curl" to post password data to some web service of your choosing.

Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.

Pass doesn't handle your "master password" at all, it's completely delegated to GnuPG (pass is really nothing more than a shell wrapper your file system, GnuPG, and Git). Does GnuPG let you easily get away without a password on your key, I don't remember ATM.

It's completely possible to setup `pass` such that you can type `pass <name>` and it will print the password to stdout (you might has to pass an extra parameter or so) without ever asking the user to input anything to confirm they approve of this action.

Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.

And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact