Hacker Newsnew | comments | show | ask | jobs | submit | klapinat0r's comments login

I've been using pass since mitro.co announced their shutdown.

The only (somewhat big) downside to this, and related unix pw managers is the sheer lack of browser compatibility - mobile would also be nice, as that's one of the places where it's a PITA to use and enter long passphrases.

pass claims to have both, but doesn't:

https://github.com/jvenant/passff#readme does not work.

The iOS app has disappeared from github: https://github.com/rephorm/pass-ios#readme

It's solvable problems, I just find it a somewhat important part of a password manager.


I'm running a small agency with two friends and we're keeping mitro alive (and better: are fixing issues) here: https://passopolis.com/

Firefox and Chrome extensions are working, and I'm currently spending a few hours a week on migrating to the new Firefox-extension protocol.


I suppose it just depends what you look for in a password manager. I tried lots of solutions from Last Pass, KeepassX to pass but i prefer the scriptability and portability of a command line based password manager and i'm not overly bothered about mobile and browser.


You're right, and don't take this as a challenge, I'm honestly wondering:

How come you aren't bothered? I ask because I can't image apart from:

a. I use short or cryptically unsafe passphrases,

b. I use passphrases and type them easily,

c. I only need to log in a few times.

Am I forgetting others?


For non-mobile use-cases the passmenu script distributed with pass comes in handy:


It types the selected password via xdotool.


One of the vulns in this exploit is fixed, rendering the exploit "useless" in 10.11.

But start the mac hate train regardless - if facts don't count :)


Why the massive downvotes when contributing to the issue he raises?

> Apple appears to be in no rush to fix the first one, I wouldn't bet my money on this vulnerability getting a fix any time soon, either ...

As it was clearly stated, there is a fix. Whether or not they'll release a 10.10 patch remains to be shown, and "no rush" is speculation.

I'll never understand the HN crowd, but I guess providing additional information to clear up a false statement, while correcting OPs assumptions is against the rules.


>Whether or not they'll release a 10.10 patch remains to be shown

10.10.3, which includes that fix, was released 3 days ago. I'll never understand the HN crown, whining about the HN crowd while you didn't bother googling before writing your rant.


I'm sorry, where's the rant?

I didn't know there was a 10.10.3 patch - I never said there wasn't. OP said there wasn't, I said it remains to be shown. You're more than welcome to correct me on that.

I don't understand what my patch sentence has to do with whining - or how that is whining about the HN crowd?

It's still unclear what was unwanted about my original comment, so I can't really correct my behavior (which was what I wanted all along).


Just to clearify: that's just means you couldn't compile it. It doesn't imply your system is/isn't vulnerable.


Sure, but its somehow satisfying to know that its broken for those who don't make the effort to fix it. ;) (It happened to me because I'm using a different compiler than the exploit needs..)


Malware comes precompiled and ready to run, it doesn't depend on you having a compiler installed.


True that! I'm looking at you, homebrew ..


Not sure why you're looking at Homebrew.

If you're feeling jumpy about binary packages, just set `HOMEBREW_BUILD_FROM_SOURCE="1"` in your shell profile.

Nobody's forcing binaries onto you.


True, but I don't have all the time in the world to read the sources, either ..


Then you should not install them on a machine with confidential data at all, source or binary. It's that simple!


I hope it's a mechanism to make it possible for new employees to actually work on this app.

Perhabs someone with experience on large complex applications can share some insights?

Otherwise, I pity the FB employees who gets assigned to this project. "Here you go, fix that button, here's 18k files to digest".

Surely they must've decoupled it into oblivion in order to have a class that manages "just that", so

1. new employee can work in an "isolated" context (although he really isn't)

2. can locate where to write and debug in this complex codebase.


The only concern I share with the author is this:

The isolation provided by Docker is not as robust as the segregation established by hypervisors for virtual machines.

As seen with CVE-2015-3629[0] for instance.

The other points: patch level and docker management isn't understood, seem to be people problems which can easily be corrected.

[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629


Or just run it in a docker container with your X11 session mounted. That works great for me.


Which tools are you talking about?


I assume they're talking about https://mac.github.com/


Ah, thank you.




Git is widely available, even on github: https://github.com/git/git

  apt-get install git
  pacman -Sy git
  emerge --ask dev-vcs/git
  yum install git


HTTPS Everywhere only forces HTTPS when it's possible.

Force-TLS and HTTP Nowhere does what you describe.


I know and I kinda hate its name for it...

I could have sworn it also had an option to only allow HTTPS connections with error as fallback. But I guess I saw that in some other add-on. Sorry for the false information!


Yes to both, but I meant a search engine that only gives results which, themselves, use https. Either a standalone search engine or as a DDG or Google query flag, e.g.,

query: home siding repair -protocol:http


Care to elaborate, what is the "secret"?


Sabian is run by the same family from the look of it, albeit a different branch after a legal dispute.


I've also used Mitro ever since I first saw it, and I'm really sad to see it go (had plans to implement the server in python, but at the risk of overseing a security flaw I opted not to)

Lately I've been looking at pass[0], do any of you have experience running this (with git)?

[0] http://www.passwordstore.org/



Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact