[HN Gopher] Pass: The standard Unix password manager
___________________________________________________________________
Pass: The standard Unix password manager
Author : homarp
Score : 84 points
Date : 2021-04-13 20:45 UTC (2 hours ago)
(HTM) web link (www.passwordstore.org)
(TXT) w3m dump (www.passwordstore.org)
| xrisk wrote:
| I used to use this, and then I moved to a real password manager.
| Like seriously, this doesn't hold a candle to an actual well-
| engineered password manager. I use Keepass right now, with
| MacPass and Keepassium; both excellent apps.
| aborsy wrote:
| Careful: KeePassium only shares a similar name with keepass,
| that happens to read keepass format; its not associated with
| the same brand!
| barbs wrote:
| What does Keepass do that pass doesn't?
| spicybright wrote:
| I've only used keypassx on windows, but the auto fill feature
| was amazing.
|
| You would push a key shortcut, then based on the window title
| of whatever window has focus, it would simulate key presses
| into it. So I could type secure credentials into any program
| on my computer with one key stroke.
| Isognoviastoma wrote:
| That's how I use pass on Linux. A key shortcut is bind to
| script that calls "xdotool getwindowfocus getwindowname",
| selects credentials set based on it, asks for master
| password with pinentry-qt if needed, then types with
| "xdotool type --file -".
|
| It works and is better than placing password in clipboard
| and than "xdotool type $pass". Likely worse than proper
| integration with password consumer.
| [deleted]
| Justsignedup wrote:
| here's why this is a bad idea:
|
| - i generate random passwords for myself (yay)
|
| - i share these random passwords with my team (ugh... git i guess
| huh!)
|
| - i share some of these random passwords with my family (you try
| teaching a 6 year old git, and a 37 year old woman who already
| doesn't want to change her habits)
|
| - i use these passwords on my home computer (windows), work
| computer (osx), android, ios
|
| Yeah, not going to switch away from 1password any time soon.
| shakna wrote:
| > - i use these passwords on my home computer (windows), work
| computer (osx), android, ios
|
| All of these have support for GPG, yes? So pass will work fine
| with them. It's just a wrapper around GPG.
| coldtea wrote:
| Not sure what any of the above have to do with this app...
|
| "- i share these random passwords with my team (ugh... git i
| guess huh!)"
|
| Git doesn't mean you "share" anything. First, you can use a
| private repo, second your passwords are encrypted. Unless you
| give the master key, nobody "shares" your passwords, even if
| they have access to the git repo.
| Justsignedup wrote:
| I'm saying the tool works for a subset of uses for generated
| encrypted password stores. Unless I misunderstand and this is
| entirely for secret sharing between servers, in which case I
| retract everything I said.
| oritsnile wrote:
| I've used pass for a while, but I switch to bitwarden, since it
| has official apps for all platforms. Also with bitwarde I only
| have to trust them, with pass I have to trust all the different
| app developers.
| b1476 wrote:
| What different app developers? Isn't pass basically a wrapper
| around GPG?
| PureParadigm wrote:
| I've been using pass for several years now and I recommend it to
| my friends, but I usually get weird looks when I say I store my
| passwords in a git repo (it's not as bad as it sounds!). Here's
| why:
|
| - I host my git repo on my desktop computer (through SSH), so
| it's not exposed anywhere except if you have SSH access to my
| computer. (A lot of people seem to think git = GitHub which is
| not true). So if your git repo is not exposed to the public, you
| don't leak any of the site names/usernames you use.
|
| - The passwords are GPG encrypted so even if it were leaked that
| would be okay as long as my secret key remains secure.
|
| As far as usability goes, I usually use the -c option to
| copy/paste my passwords. I used a browser extension for awhile,
| but I haven't gotten around to reinstalling since the copy/paste
| works fine for me. Syncing with my phone and Linux devices works
| perfectly (since it's just git).
|
| The Windows client seems to be no longer maintained [1], so I
| would like better support here for my Surface. But this is still
| okay since I can SSH to my desktop computer from Windows and
| copy/paste the passwords from there.
|
| [1] https://github.com/mbos/Pass4Win#readme
| mattacular wrote:
| It's worth mentioning though that your repo could leak metadata
| about what accounts you have, and your username, depending on
| how you name your pass entries (ie. you can mitigate it by
| adopting a more cryptic naming scheme for sensitive entries).
| Just something to be aware of, it may not matter for your use
| case. Bitbucket still offers free private repos, which I use
| for my password store.
| encryptluks2 wrote:
| There is gopass for Windows which is compatible last time I
| checked. It also works on Linux and Mac too:
|
| https://github.com/gopasspw/gopass
| RcouF1uZ4gsC wrote:
| > I used a browser extension for awhile, but I haven't gotten
| around to reinstalling since the copy/paste works fine for me.
|
| One danger of doing just copy and paste is that you are more
| exposed to phishing attacks. The browser extension for the
| password managers check that the site that they are filling in
| is indeed the site that they stored the password for.
| aborsy wrote:
| But extensions bring their own security concerns too.
|
| You can use auto type. But you need to make each entry
| identifiable and sometimes it doesn't work because page and
| login titles change.
| spicybright wrote:
| How do you get your passwords out of the repo on your phone?
| koolba wrote:
| Not having access to your passwords on your phone is
| considered by some of us as a feature.
| spicybright wrote:
| OP said they sync it to their phone.
| PureParadigm wrote:
| git push. The Android app works with git repos from SSH. I
| also use Wireguard since I run my SSH server behind the VPN,
| but this is obviously optional since you can just expose your
| SSH server to the internet.
| spicybright wrote:
| Sorry, I meant more on the UI side. Like if I'm on a
| website that needs a login, do I run a pass command in a
| local terminal, then copy and paste?
| coldtea wrote:
| That's what they meant with "The Android app works with
| git repos from SSH".
|
| That is: there are GUI mobile and desktop client apps,
| compatible with the pass storage schemes.
|
| In this case, the parent refers to one such app that can
| connect to e.g. your GitHub repo with your passes, and
| read/manage the passwords from there.
| PureParadigm wrote:
| Ah, there is an Android app [1] which you sync the
| passwords to and it basically presents a list of all your
| websites. To use a password: tap on the website name,
| unlock your GPG key, and then see your password and put
| it in your phone's copy/paste buffer.
|
| [1] https://play.google.com/store/apps/details?id=dev.msf
| jarvis....
| aborsy wrote:
| Do phone apps support Yubikey?
| PureParadigm wrote:
| The Password Store app delegates key management to
| another app. I use OpenKeychain [1] for this. I believe
| OpenKeychain supports Yubikeys, but I haven't used that
| feature myself so I can't speak about how well it works.
|
| [1] https://www.openkeychain.org/
| hk1337 wrote:
| You could also store it in a Keybase [1] repo.
|
| [1] https://keybase.io/
| vmception wrote:
| Tangential question: why doesnt keepass or keepassx autosave?
|
| Why does it even have the antiquated save button to begin with?
|
| I have permanently lost access to some things due to this, as
| other password managers don't have retro features like that.
| Usually when I'm using unix or linux, its on an OSX keyboard so
| even my reflexive shortcut key saving has buttons flipped.
| 002445 wrote:
| Open options, enable autosave, enjoy.
| vmception wrote:
| that should be default, thanks for the tip
| jeremy_k wrote:
| Interesting to see this come up. I wrote about using pass to
| authenticate to Docker inside of an alpine linux docker container
| last summer[1]. It was quite the undertaking to get it all
| working. The premise was to figure out how to securely log
| authenticate to docker, potentially in a CI type system.
|
| [1] - https://jer-k.github.io/apline-linux-docker-
| authentication-w...
| coldtea wrote:
| > _The password store does not impose any particular schema or
| type of organization of your data, as it is simply a flat text
| file, which can contain arbitrary data._
|
| That whole section, the options (or lack thereof) is a mess...
| encryptluks2 wrote:
| Not really.. Gopass which is compatible supports YAML-based
| key/values. I find having to conform to a particular password
| management solution for extended entries to be more messy.
| yakubin wrote:
| It is a file-based key-value store, where only the values are
| encrypted[1], with GPG to make it worse. For these reasons, I
| moved to KeePassXC. It is cross-platform, has a nice Qt GUI and
| you don't have to resort to hacks to have several values
| associated with a single key (i.e. not just password, but also
| username and others).
|
| [1]: Keys and Git history are not encrypted.
| netflixandkill wrote:
| Unless you need multiple concurrent writers or some kind of
| RBAC it's going to be really hard for anything to beat the KP
| database just because it already takes into things like that
| into account, along with optional entry history, arbitrary
| associated values, etc.
|
| Been using it both with computers/phones and via programmatic
| access on cloud storage for years.
| taeric wrote:
| I get why folks don't like gpg for securing email. What makes
| this use of it bad?
| yakubin wrote:
| Because you still need to manage your GPG keys with an
| obscure CLI. When I last switched computers, I tried just
| copying my "~/.gpg" directory. Didn't work. GPG was confused,
| produced even more confusing messages, which didn't really
| help me understand what the problem was. I needed to google
| for the right incantation of commands to export my keys from
| one computer and import them on another. Compare that to what
| you have with KeePassXC: switching computers? Just copy this
| single file and everything will just work.
|
| And I don't want to know if I'm holding GPG right. I just
| want the tool to work for my specific case. But GPG wasn't
| designed specifically with this case in mind, so, as usual,
| it will be terrible. It tries to be too many things.
| aborsy wrote:
| Here are some of the pros of the Pass:
|
| * It leaks meta-data. That might sound a con, but in exchange you
| get the ability to extract a password without decrypting and thus
| exposing other passwords.
|
| * It's more convenient than a single file password manager. You
| type ''pass -c goo'' for your Google account, instead of clicking
| on your password manager, typing password, searching in data
| base, finding the right entry, copying password or pressing auto
| complete and closing the database.
|
| * You don't need your master password to add a new password (it
| uses asymmetric encryption).
|
| * You can easily program it, eg, write back up scripts that grab
| a password from store.
|
| * It used GPG which means your secret key can be stored on
| Yubikey, handled by a dedicated agen. Your password is basically
| a short PIN. This is unparalleled convenience!
|
| * It's secure, because it's short bash script that you can check,
| and uses dedicated well-audited cryptographic tool.
|
| There might be few cons though. For example, if you store your
| database on a cloud, say, Dropbox, Dropbox could switch your
| Dropbox.com file with google.com file, and you copy and hand over
| your Google password to Dropbox. But this is hypothetical for
| most of us! Also, some people don't like metadata (filenames)
| leakage, though apparently there are solutions for that.
|
| Overall it's very convenient and functional. I highly recommend
| it.
| smegcicle wrote:
| > For example, if you store your database on a cloud, say,
| Dropbox, Dropbox could switch your Dropbox.com file with
| google.com file
|
| That's sad- could we include a hash to detect stuff like this?
| taeric wrote:
| The asymmetric point is surprisingly useful.
| woodruffw wrote:
| I don't use pass myself (I have severe NIH[1]), but its design
| has inspired me many times over: very, very few tools rise to the
| challenge of adhering to the Unix philosophy without cargo-
| culting it, and pass is one of them. I _highly_ recommend that
| people looking to write engineer-friendly tools study its
| manpage[2].
|
| [1]: https://github.com/woodruffw/kbs2
|
| [2]: https://git.zx2c4.com/password-store/about/
| ruiseal wrote:
| I also wrote my own age compatible pass clone a year ago but
| yours is much better. You've gotten a new user.
| slk500 wrote:
| I finally havve found a peace with emacs orgmode+gpg
| 2pEXgD0fZ5cF wrote:
| Been planning to switch to pass for a while now because it looks
| nice!
|
| Is there a comfortable way to store+access arbitrary files and/or
| attachments with pass?
| tlackemann wrote:
| Pass user for many years, always loved it.
|
| There are a number of ways to integrate it into rofi too, so with
| the press of a few keys I can navigate to any site and login
| instantly.
|
| To squash a few concerns:
|
| - Leaking data - If someone types "pass" in your terminal it will
| show a list of sites that you've stored. I don't find this any
| less obvious than if someone had LastPass installed on their
| machine.
|
| - Trusting different app developers - This can be true, but if
| you stick with the CLI then there's only one app to trust - and
| one person! You don't rely on a company to safegaurd your data,
| you trust yourself.
|
| YMMV, thoughts are my own. I happen to very much enjoy pass and I
| think others might too if you like owning your own data.
| JadoJodo wrote:
| I love the idea of Pass, but from what I've seen of the UX (not
| talking looks) it doesn't really compare to the ease of use of
| products like 1Password (which I suspect was the catalyst for
| this being reposted). Does anyone have any contrary experiences
| when shared across iOS, Linux, and macOS devices + browsers?
| Skunkleton wrote:
| I really like pass, but I switched to Bitwarden for this
| reason. Bitwarden has first party support everywhere I need it.
| Pass has clients everywhere, but other than the CLI I have not
| been impressed.
| cameronhowe wrote:
| it couldnt be easier to keep up to date across devices: pass
| git push pass git pull
|
| there are also at least two browser addons both of which work
| very well for filling fields
| 12ian34 wrote:
| um, yes, it could be easier. It could sync across devices
| automatically...
| encryptluks2 wrote:
| QtPass was descent last time I tried it but I'm not sure if it
| has been updated recently. Not really much need to have a
| separate GUI though when there are browser extensions like
| Browserpass.
| gmuslera wrote:
| It's simple file format let to build different interfaces to
| access the same files. I prefer gopass (https://www.gopass.pw/)
| as user interface as it have a few extra features that makes it a
| bit more confortable.
| philips wrote:
| I love pass but mostly use it as a tool for an encrypted journal.
| alias journal='pass edit journal/$(date +%Y-%m-%d)'
| kingo55 wrote:
| Great use case!
| nextstep wrote:
| Is there a way to synchronize this with 1Password via a plug-in?
| I would like to use pass as another backup of my 1Password
| database.
| bloaf wrote:
| It feels nice and clean, but also like it is leaking the list of
| sites I use.
| teddyh wrote:
| Leaking to where?
| bloaf wrote:
| To anything with read access to your chosen storage
| filesystem.
| ufo wrote:
| In the default settings the names of the websites are stored
| unencrypted, in the filenames.
| battles wrote:
| To anyone who types pass in your terminal it looks like.
| cameronhowe wrote:
| compared to other password managers which is just an
| encrypted database.
|
| pass uses normal folders to store your website/username
| information so in that way it is less protected.
| _jal wrote:
| Something to consider, sure.
|
| But the exposure is to anyone with access to your encrypted
| pass data. Which in the normal use case is going to be
| anyone with access to your user account, which means they
| could likely already see your shell and browser history.
| [deleted]
| woodruffw wrote:
| I think this is outside of the threat model of most password
| managers -- your desktop search history (whether in your shell,
| Spotlight, or whatever) is leaking equivalent and probably more
| detailed information.
| ufo wrote:
| It can be a problem if you want to back up the password
| database to the cloud.
|
| That's part of the threat model for most other password
| managers, which use a single encrypted file for the database.
| Pass is the only popular one I know that stores part of the
| information in plaintext.
| woodruffw wrote:
| I don't actually use pass, but as an idle thought: if
| you're concerned about this sort of metadata when syncing
| your `pass` store to a cloud provider, why not take
| advantage of the GPG key you already have and encrypt
| everything as a single blob in one shot? You pay a little
| more with each synchronization, but probably not enough to
| worry about for reasonably sized stores.
| zabzonk wrote:
| In what sense is this "standard"?
___________________________________________________________________
(page generated 2021-04-13 23:00 UTC)