[HN Gopher] Pass: The standard Unix password manager ___________________________________________________________________ Pass: The standard Unix password manager Author : homarp Score : 84 points Date : 2021-04-13 20:45 UTC (2 hours ago) (HTM) web link (www.passwordstore.org) (TXT) w3m dump (www.passwordstore.org) | xrisk wrote: | I used to use this, and then I moved to a real password manager. | Like seriously, this doesn't hold a candle to an actual well- | engineered password manager. I use Keepass right now, with | MacPass and Keepassium; both excellent apps. | aborsy wrote: | Careful: KeePassium only shares a similar name with keepass, | that happens to read keepass format; its not associated with | the same brand! | barbs wrote: | What does Keepass do that pass doesn't? | spicybright wrote: | I've only used keypassx on windows, but the auto fill feature | was amazing. | | You would push a key shortcut, then based on the window title | of whatever window has focus, it would simulate key presses | into it. So I could type secure credentials into any program | on my computer with one key stroke. | Isognoviastoma wrote: | That's how I use pass on Linux. A key shortcut is bind to | script that calls "xdotool getwindowfocus getwindowname", | selects credentials set based on it, asks for master | password with pinentry-qt if needed, then types with | "xdotool type --file -". | | It works and is better than placing password in clipboard | and than "xdotool type $pass". Likely worse than proper | integration with password consumer. | [deleted] | Justsignedup wrote: | here's why this is a bad idea: | | - i generate random passwords for myself (yay) | | - i share these random passwords with my team (ugh... git i guess | huh!) | | - i share some of these random passwords with my family (you try | teaching a 6 year old git, and a 37 year old woman who already | doesn't want to change her habits) | | - i use these passwords on my home computer (windows), work | computer (osx), android, ios | | Yeah, not going to switch away from 1password any time soon. | shakna wrote: | > - i use these passwords on my home computer (windows), work | computer (osx), android, ios | | All of these have support for GPG, yes? So pass will work fine | with them. It's just a wrapper around GPG. | coldtea wrote: | Not sure what any of the above have to do with this app... | | "- i share these random passwords with my team (ugh... git i | guess huh!)" | | Git doesn't mean you "share" anything. First, you can use a | private repo, second your passwords are encrypted. Unless you | give the master key, nobody "shares" your passwords, even if | they have access to the git repo. | Justsignedup wrote: | I'm saying the tool works for a subset of uses for generated | encrypted password stores. Unless I misunderstand and this is | entirely for secret sharing between servers, in which case I | retract everything I said. | oritsnile wrote: | I've used pass for a while, but I switch to bitwarden, since it | has official apps for all platforms. Also with bitwarde I only | have to trust them, with pass I have to trust all the different | app developers. | b1476 wrote: | What different app developers? Isn't pass basically a wrapper | around GPG? | PureParadigm wrote: | I've been using pass for several years now and I recommend it to | my friends, but I usually get weird looks when I say I store my | passwords in a git repo (it's not as bad as it sounds!). Here's | why: | | - I host my git repo on my desktop computer (through SSH), so | it's not exposed anywhere except if you have SSH access to my | computer. (A lot of people seem to think git = GitHub which is | not true). So if your git repo is not exposed to the public, you | don't leak any of the site names/usernames you use. | | - The passwords are GPG encrypted so even if it were leaked that | would be okay as long as my secret key remains secure. | | As far as usability goes, I usually use the -c option to | copy/paste my passwords. I used a browser extension for awhile, | but I haven't gotten around to reinstalling since the copy/paste | works fine for me. Syncing with my phone and Linux devices works | perfectly (since it's just git). | | The Windows client seems to be no longer maintained [1], so I | would like better support here for my Surface. But this is still | okay since I can SSH to my desktop computer from Windows and | copy/paste the passwords from there. | | [1] https://github.com/mbos/Pass4Win#readme | mattacular wrote: | It's worth mentioning though that your repo could leak metadata | about what accounts you have, and your username, depending on | how you name your pass entries (ie. you can mitigate it by | adopting a more cryptic naming scheme for sensitive entries). | Just something to be aware of, it may not matter for your use | case. Bitbucket still offers free private repos, which I use | for my password store. | encryptluks2 wrote: | There is gopass for Windows which is compatible last time I | checked. It also works on Linux and Mac too: | | https://github.com/gopasspw/gopass | RcouF1uZ4gsC wrote: | > I used a browser extension for awhile, but I haven't gotten | around to reinstalling since the copy/paste works fine for me. | | One danger of doing just copy and paste is that you are more | exposed to phishing attacks. The browser extension for the | password managers check that the site that they are filling in | is indeed the site that they stored the password for. | aborsy wrote: | But extensions bring their own security concerns too. | | You can use auto type. But you need to make each entry | identifiable and sometimes it doesn't work because page and | login titles change. | spicybright wrote: | How do you get your passwords out of the repo on your phone? | koolba wrote: | Not having access to your passwords on your phone is | considered by some of us as a feature. | spicybright wrote: | OP said they sync it to their phone. | PureParadigm wrote: | git push. The Android app works with git repos from SSH. I | also use Wireguard since I run my SSH server behind the VPN, | but this is obviously optional since you can just expose your | SSH server to the internet. | spicybright wrote: | Sorry, I meant more on the UI side. Like if I'm on a | website that needs a login, do I run a pass command in a | local terminal, then copy and paste? | coldtea wrote: | That's what they meant with "The Android app works with | git repos from SSH". | | That is: there are GUI mobile and desktop client apps, | compatible with the pass storage schemes. | | In this case, the parent refers to one such app that can | connect to e.g. your GitHub repo with your passes, and | read/manage the passwords from there. | PureParadigm wrote: | Ah, there is an Android app [1] which you sync the | passwords to and it basically presents a list of all your | websites. To use a password: tap on the website name, | unlock your GPG key, and then see your password and put | it in your phone's copy/paste buffer. | | [1] https://play.google.com/store/apps/details?id=dev.msf | jarvis.... | aborsy wrote: | Do phone apps support Yubikey? | PureParadigm wrote: | The Password Store app delegates key management to | another app. I use OpenKeychain [1] for this. I believe | OpenKeychain supports Yubikeys, but I haven't used that | feature myself so I can't speak about how well it works. | | [1] https://www.openkeychain.org/ | hk1337 wrote: | You could also store it in a Keybase [1] repo. | | [1] https://keybase.io/ | vmception wrote: | Tangential question: why doesnt keepass or keepassx autosave? | | Why does it even have the antiquated save button to begin with? | | I have permanently lost access to some things due to this, as | other password managers don't have retro features like that. | Usually when I'm using unix or linux, its on an OSX keyboard so | even my reflexive shortcut key saving has buttons flipped. | 002445 wrote: | Open options, enable autosave, enjoy. | vmception wrote: | that should be default, thanks for the tip | jeremy_k wrote: | Interesting to see this come up. I wrote about using pass to | authenticate to Docker inside of an alpine linux docker container | last summer[1]. It was quite the undertaking to get it all | working. The premise was to figure out how to securely log | authenticate to docker, potentially in a CI type system. | | [1] - https://jer-k.github.io/apline-linux-docker- | authentication-w... | coldtea wrote: | > _The password store does not impose any particular schema or | type of organization of your data, as it is simply a flat text | file, which can contain arbitrary data._ | | That whole section, the options (or lack thereof) is a mess... | encryptluks2 wrote: | Not really.. Gopass which is compatible supports YAML-based | key/values. I find having to conform to a particular password | management solution for extended entries to be more messy. | yakubin wrote: | It is a file-based key-value store, where only the values are | encrypted[1], with GPG to make it worse. For these reasons, I | moved to KeePassXC. It is cross-platform, has a nice Qt GUI and | you don't have to resort to hacks to have several values | associated with a single key (i.e. not just password, but also | username and others). | | [1]: Keys and Git history are not encrypted. | netflixandkill wrote: | Unless you need multiple concurrent writers or some kind of | RBAC it's going to be really hard for anything to beat the KP | database just because it already takes into things like that | into account, along with optional entry history, arbitrary | associated values, etc. | | Been using it both with computers/phones and via programmatic | access on cloud storage for years. | taeric wrote: | I get why folks don't like gpg for securing email. What makes | this use of it bad? | yakubin wrote: | Because you still need to manage your GPG keys with an | obscure CLI. When I last switched computers, I tried just | copying my "~/.gpg" directory. Didn't work. GPG was confused, | produced even more confusing messages, which didn't really | help me understand what the problem was. I needed to google | for the right incantation of commands to export my keys from | one computer and import them on another. Compare that to what | you have with KeePassXC: switching computers? Just copy this | single file and everything will just work. | | And I don't want to know if I'm holding GPG right. I just | want the tool to work for my specific case. But GPG wasn't | designed specifically with this case in mind, so, as usual, | it will be terrible. It tries to be too many things. | aborsy wrote: | Here are some of the pros of the Pass: | | * It leaks meta-data. That might sound a con, but in exchange you | get the ability to extract a password without decrypting and thus | exposing other passwords. | | * It's more convenient than a single file password manager. You | type ''pass -c goo'' for your Google account, instead of clicking | on your password manager, typing password, searching in data | base, finding the right entry, copying password or pressing auto | complete and closing the database. | | * You don't need your master password to add a new password (it | uses asymmetric encryption). | | * You can easily program it, eg, write back up scripts that grab | a password from store. | | * It used GPG which means your secret key can be stored on | Yubikey, handled by a dedicated agen. Your password is basically | a short PIN. This is unparalleled convenience! | | * It's secure, because it's short bash script that you can check, | and uses dedicated well-audited cryptographic tool. | | There might be few cons though. For example, if you store your | database on a cloud, say, Dropbox, Dropbox could switch your | Dropbox.com file with google.com file, and you copy and hand over | your Google password to Dropbox. But this is hypothetical for | most of us! Also, some people don't like metadata (filenames) | leakage, though apparently there are solutions for that. | | Overall it's very convenient and functional. I highly recommend | it. | smegcicle wrote: | > For example, if you store your database on a cloud, say, | Dropbox, Dropbox could switch your Dropbox.com file with | google.com file | | That's sad- could we include a hash to detect stuff like this? | taeric wrote: | The asymmetric point is surprisingly useful. | woodruffw wrote: | I don't use pass myself (I have severe NIH[1]), but its design | has inspired me many times over: very, very few tools rise to the | challenge of adhering to the Unix philosophy without cargo- | culting it, and pass is one of them. I _highly_ recommend that | people looking to write engineer-friendly tools study its | manpage[2]. | | [1]: https://github.com/woodruffw/kbs2 | | [2]: https://git.zx2c4.com/password-store/about/ | ruiseal wrote: | I also wrote my own age compatible pass clone a year ago but | yours is much better. You've gotten a new user. | slk500 wrote: | I finally havve found a peace with emacs orgmode+gpg | 2pEXgD0fZ5cF wrote: | Been planning to switch to pass for a while now because it looks | nice! | | Is there a comfortable way to store+access arbitrary files and/or | attachments with pass? | tlackemann wrote: | Pass user for many years, always loved it. | | There are a number of ways to integrate it into rofi too, so with | the press of a few keys I can navigate to any site and login | instantly. | | To squash a few concerns: | | - Leaking data - If someone types "pass" in your terminal it will | show a list of sites that you've stored. I don't find this any | less obvious than if someone had LastPass installed on their | machine. | | - Trusting different app developers - This can be true, but if | you stick with the CLI then there's only one app to trust - and | one person! You don't rely on a company to safegaurd your data, | you trust yourself. | | YMMV, thoughts are my own. I happen to very much enjoy pass and I | think others might too if you like owning your own data. | JadoJodo wrote: | I love the idea of Pass, but from what I've seen of the UX (not | talking looks) it doesn't really compare to the ease of use of | products like 1Password (which I suspect was the catalyst for | this being reposted). Does anyone have any contrary experiences | when shared across iOS, Linux, and macOS devices + browsers? | Skunkleton wrote: | I really like pass, but I switched to Bitwarden for this | reason. Bitwarden has first party support everywhere I need it. | Pass has clients everywhere, but other than the CLI I have not | been impressed. | cameronhowe wrote: | it couldnt be easier to keep up to date across devices: pass | git push pass git pull | | there are also at least two browser addons both of which work | very well for filling fields | 12ian34 wrote: | um, yes, it could be easier. It could sync across devices | automatically... | encryptluks2 wrote: | QtPass was descent last time I tried it but I'm not sure if it | has been updated recently. Not really much need to have a | separate GUI though when there are browser extensions like | Browserpass. | gmuslera wrote: | It's simple file format let to build different interfaces to | access the same files. I prefer gopass (https://www.gopass.pw/) | as user interface as it have a few extra features that makes it a | bit more confortable. | philips wrote: | I love pass but mostly use it as a tool for an encrypted journal. | alias journal='pass edit journal/$(date +%Y-%m-%d)' | kingo55 wrote: | Great use case! | nextstep wrote: | Is there a way to synchronize this with 1Password via a plug-in? | I would like to use pass as another backup of my 1Password | database. | bloaf wrote: | It feels nice and clean, but also like it is leaking the list of | sites I use. | teddyh wrote: | Leaking to where? | bloaf wrote: | To anything with read access to your chosen storage | filesystem. | ufo wrote: | In the default settings the names of the websites are stored | unencrypted, in the filenames. | battles wrote: | To anyone who types pass in your terminal it looks like. | cameronhowe wrote: | compared to other password managers which is just an | encrypted database. | | pass uses normal folders to store your website/username | information so in that way it is less protected. | _jal wrote: | Something to consider, sure. | | But the exposure is to anyone with access to your encrypted | pass data. Which in the normal use case is going to be | anyone with access to your user account, which means they | could likely already see your shell and browser history. | [deleted] | woodruffw wrote: | I think this is outside of the threat model of most password | managers -- your desktop search history (whether in your shell, | Spotlight, or whatever) is leaking equivalent and probably more | detailed information. | ufo wrote: | It can be a problem if you want to back up the password | database to the cloud. | | That's part of the threat model for most other password | managers, which use a single encrypted file for the database. | Pass is the only popular one I know that stores part of the | information in plaintext. | woodruffw wrote: | I don't actually use pass, but as an idle thought: if | you're concerned about this sort of metadata when syncing | your `pass` store to a cloud provider, why not take | advantage of the GPG key you already have and encrypt | everything as a single blob in one shot? You pay a little | more with each synchronization, but probably not enough to | worry about for reasonably sized stores. | zabzonk wrote: | In what sense is this "standard"? ___________________________________________________________________ (page generated 2021-04-13 23:00 UTC)