Hacker News new | past | comments | ask | show | jobs | submit login

I like and use pass regulary, but it has some inconveniences.

- It doesn't encrypt the paths to the passwords

- It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

- It doesn't work with (Update: X.509) smartcards/gpgsm

- It's written in bash. That has pros and cons...




> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

You can use multi-line passwords with the -m flag without leaking any information in the path.

You can put whatever you want in the password entry, in whatever text format you want.

So you can save an entry like this:

areallygoodstrongpassword

Username: someusername

Secret API key: abc123

It's also really smart about what happens when you copy that entry to your clipboard. It will copy just the first line for easy password pasting.

There's a demo of me using it to store AWS credentials in this write up: https://nickjanetakis.com/blog/managing-your-passwords-on-th...

> - It doesn't encrypt the paths to the passwords

Yep, but the upside is you have tab complete in your terminal for accessing your passwords.

If you planned to put it up on github you could always encrypt the folder / file names using https://github.com/cryptomator/cryptomator or a comparable tool. I don't publish my pass fields on my public github account, so I never ran into this problem.


> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.

> - It doesn't encrypt the paths to the passwords

To elaborate: One of the problems with this approach is that it may leak websites where you have accounts to people who gain access to your pass repo/directory even without gaining control of your gpg key.

> - It doesn't work with smartcards/gpgsm

What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?


>> - It doesn't use a structural language for the password files, so additional information like username has to be stored in the path of the password

> only the first line of an encrypted file is considered to be the password. So you can just but your username or any other account-related information on the following lines.

I didn't know that. But what I would have preferred was copying the username with one command and copying the password with another.

>> - It doesn't work with smartcards/gpgsm

> What do you mean by that? I use pass with my yubikey as a gpg "smartcard"?

I haven't tried that with a yubi key, but with a corporate X.509 id card. And that needed gpgsm. I had to patch pass in order for it to work, because gpgsm uses different parameters that gpg.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: