How does this compare to other popular solutions? Specifically, KeepassX / Keepass2 which are the most common solutions I've seen most Unix / Linux users employ. Can we objectively state which one is a better solution?
Pass encrypted passwords are kept in your computer, which I find safer than web based solutions. Optionally you can use git to share passwords between computers but you still need the gpg2 keys from the original repo.
So it does, yes. I forgot about that, since I needed to write my own wrapper to paste both username and password (stored on separate lines) anyway. Thank you for the correction, I'll update my post.
There is also QtPass (GUI around pass), and various browser extensions (e.g. BrowserPass).
Of course one has to set it up, it's not an integrated solution. But GPG provides interesting features like storing encryption keys on hardware devices. Some devices like Yubikeys can have touch-to-use enabled. So each use of a secret requires a touch (after PIN but that's once a session). Perfect combination of convenience and security for me.
I've been using this for a while and am very happy. Especially the ability to use a private git repository for synchronization of laptop and desktop makes this convenient.
Pass is pretty awesome, but nowadays I've switched to gopass: https://github.com/justwatchcom/gopass - much better support for teams, structured secrets, binary secrets and quite a few other improvements. Oh, and it's (mostly) drop-in compatible.
Looks nice. Unfortunately I would never use it for teams as it doesn't have audit logs. These are very useful in case a user is compromised - you can lookup which passwords he accessed and only change those. Same goes if the user left the team and u want to make sure all accesses are revoked.
Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?
Thats why password managers that do support audit logs (normally) do not provide this kind of mechanism of manually decrypting the file. The only way of accessing passwords would be through whatever interface they came up with.
The password manager of course does not "provide" such a mechanism (I imagine providing a "bypass audit logs" button would not be a popular feature). But if you know the key (the master password, or some derivative of it) and you have the ciphertext then you will be able to get the plaintext.
The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.
The whole point of the discussion was to highlight a feature that I was missing here - ability to audit who accessed what.
There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.
Yep. Or saves the plaintext of the password elsewhere after using it once for a "legit" use.
Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.
Thats the whole point of audit logs. You lookup the passwords he accessed and only rotate those (vs rotating all of team's shared secrets because you dont know which ones he used/saved/etc).
You're missing the point. The software has no way to tell if a compromised user looked at certain passwords out of band. The audit logs aren't guaranteed to be complete, so you should rotate every key they could have accessed anyway.
No it actually is not the whole point. Security is never convenient. If you do not have an active password rotation automated for all accounts, even shared, then you should be more worried about an employee reporting you to compliance officers. #justsaying
Huh? Its not reasonable to expect automated password rotation for all shared secrets, especially for external services that a team could use. Some passwords will always need to be rotated manually.
My impression of Vault is that it is more useful for automated situations. How useful is it as a shared password manager? Do you have non-technical folks using it? And if so, how are they interacting with the vault?
Sounds like a great idea for a side project. Build a user friendly interface that leverages a remote vault server on the backend. It's primary use case if definitely for applications.
There are a handful of web-based UIs that have been built. And I believe Hashicorp offers one with their enterprise product. But from what I can gather they all still have a bit more of a learning curve than your average password manager.
No purely non-technical individuals as far as I know, but there are a number of non-developer analysts using it who wouldn't otherwise have much exposure to a console. The flexibility of the access policies and the ability for users to easily/securely share secrets under a path with only their team and be able to have multiple policies for multiple teams all under one roof far outweighs any minor struggle during initial adoption.
I've been using pass for a long time now. I have over 200 passwords stored.
I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).
I use Git; pass has integration with it out of the box (makes a commit for each change to the password store). I just push and pull periodically myself, but this could be automated. There is an Android app called Password Store that is compatible with pass and has Git integration built in.
I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.
As others have mentioned, git / dropbox works well for this.
But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).
I use Dropbox but I also use git-remote-gcrypt[0] to encrypt the entire Git repo so that even the file names and sub-directories don't leak outside any of my computers or devices.
Well, I guess if you had no master password, any script you expect people to run could have a surreptitious "pass <some args> | curl" to post password data to some web service of your choosing.
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
Pass doesn't handle your "master password" at all, it's completely delegated to GnuPG (pass is really nothing more than a shell wrapper your file system, GnuPG, and Git). Does GnuPG let you easily get away without a password on your key, I don't remember ATM.
It's completely possible to setup `pass` such that you can type `pass <name>` and it will print the password to stdout (you might has to pass an extra parameter or so) without ever asking the user to input anything to confirm they approve of this action.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.
Browser integration just means you trust the plugins that provide browser integration. May not always be secure. With the recent trend of popular browser extensions being made adware after purchasing them I wouldn't always trust them. A time out clipboard is sufficient for me.
A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
> so you know and trust every piece of software that is running on your machine?
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
I think the point in discussions like these is, what is the alternative? Ie, add value to the discussion, not argue over semantics. Arguing that everything (or this thing) sucks is.. non constructive. What do you see as better alternatives?
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
I'm not particularly worried about other applications on my computer listening to the clipboard. But I 99% of the time I'm pasting into a webpage in Chrome or Firefox. Can any open tab sniff the clipboard passively?
No, webpages get to the contents of clipboard only after explicit user interaction.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
The clipboard's biggest vulnerability is the user themselves, but most password managers automatically clear their own entries after a customizable timeout.
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
It's trivial to script if you want (either by modifying the rather simple pass script itself or by wrapping around it).
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
With all the discussion about 1password and its decision to "more or less" move to the web and a subscription based model, I had a TODO to look at what the open source community had; especially regarding browser plug-ins, mobile apps, etc. I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.
This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.
I haven't used the iOS client, but on Android the most common way to sync is to use your own Git repository accessed over SSH. You could use a private GitHub repo or one on your own server.
same on iOS it authenticates to your git repo either with password or SSH key. The only "complexity" in setting the app up is giving your public and private GPG keys to the iOS app (you can transfer them using itunes - there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials)
> there's also a facility to scan a QR code, but I don't know how you generate that from your GPG credentials
Search for qr on the python package index using pip. There's a module that you can pipe text to and then it'll render a qr code in your terminal using Unicode glyphs. Worked well last I tried. Don't remember what the module was called but you'll be able to find it I som sure.
> I don't understand why a simple problem like password management, needs a subscription and a private company to create software for the problem.
Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.
I wish people would pay pass (or some other auditable open source software team) for this sort of thing instead.
The situation is particularly painful for security critical software like password managers and disk encryption. Commercial software could be keeping a rot-13 copy of the database on an anonymous ftp server for all I know (or, worse, be written for a leaky JavaScript sandbox).
The open source stuff generally stalls out after the first 90% of the functionality is there, and the second 90% of the work remains.
That seems like saying why use an encrypting password manager at all if you're using full disk encryption, isn't it okay to just keep your passwords in plaintext on your encrypted disk?
Encryption only protects files at rest. The vast majority of attacks are against live systems connected to a network, where full disk encryption won't help you one bit. It is a nice extra layer of protection for when a device is lost/stolen, but I don't consider it a primary form of protection for any important data.
It's not. When you decrypt one file you have all of your passwords in-memory (terminal, clipboard, browser extension, qtpass). When you do that for one login/password pair you only expose that pair, not all of the others.
When you decrypt, you have the key in memory in either case. Assuming you don't put all the password into an untrustworthy output (terminal, clipboard, etc), what's the difference ?
I mount my pass dir with encfs. Mount when I need access to passwords, and no need to remember to close it before I shut down (or if the machine randomly crashes).
I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.
Check out pw, my alternative to pass, designed because of the reason you mentioned: I don't want my password manager to leak the list of services I use.
In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.
The file format is git-compatible and everything can be managed with standard command line tools.
If your master password leaks you are exposed on every website where you used this scheme (and you should then change every password), so on the security side this is inferior to a master password granting access to uncorrelated passwords.
By the way, I'd prefer to have a password manager on my phone (or smartwatch), and have it beam my password to my keyboard by NFC. But this solution does not exist yet.
As the other commenter pointed out, you need to carry your salt with you to deduce the actual password. On top of that, you need to keep your salt secret, otherwise it is trivial to deduce your password. So your system [password = hash(master password, salt, domain)] is exactly the same as a master password protecting several other ones. Just use your salt as a password directly at this point...
What about websites that require to have special characters in your password, since the hash is just HEX?
What about multiple accounts on the same website, same password?
Hash value is just a value picked out of some domain. For most hashes this domain is Z_{2^n} with n usually divisible by 8. It is then convenient to represent that as hexadecimal number, but there is nothing special about that particular encoding. For purpose of generating secure password you can even use said hash as seed for CSPRNG and then use it for FIPS 181 random password generator algorith or something similar.
Yes, I do something like this, along with storing the password requirements and username/domain in localStorage and allowing it to sync between devices: https://webpass.rkeene.org/
Such ideas are already implemented in deterministic password managers (erm generators) which have a some key security issues related to portablility and weaker schemes that can be hacked and if your master password is compromised or insecure. A bad idea in my opinion.
I use pass and love it. It provides a lot of flexibility. To fix the "website metadata is leaked in filenames" issue, I use another project by Jason, ctmg[0]. I changed the pass directory to be one directory deeper, encrypted it and just do `ctmg open` when I boot to open my password list (similar to unlocking a keypassX store) then use pass as normal. On shutdown, the opened folder is re-encrypted automatically. You could also set a ctmg close on a timer if you don't want the list to be available during your entire session after open.
Other things I do:
* store all the files as .toml files so I can rip specific keys with a custom script.
* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.
* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.
Syncthing has a mobile app and there's an app for pass called PasswordStore[0] using OpenKeychain[1] (pgp manager). I'm not a fan of putting my private key on my mobile, but if I were, this would be a nice setup.
Since pass supports extension, you can make your setup less complex using pass-tomb. 'pass-tomb' keep the whole tree of password encrypted inside a tomb, see https://github.com/roddhjav/pass-tomb
Nice to hear somebody out there is using ctmg. I never bothered making packages for distros other than Gentoo, but ctmg is quite useful so maybe I'll do that.
Cheers.
Yeah for sure, I was too lazy to make a PR on nixpkgs, but this[0] is what I wrote if anyone stumbles on this using NixOS. The nix package manager can be installed on top of most OS's too.
I've used this for a long time, and along with its Git integration (pushing/pulling to/from a repository on my own server, accessed over SSH) and a GPG key stored on a Yubikey Neo, I've got basically seamless sync between two laptops, a desktop and an Android phone, without using any third-party service.
The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.
I've got the same setup, it's pretty great. One thing, though: make sure you have another way of decrypting your passwords! I lost my Yubikey once, and I lost all my passwords. Now I have a copy of that key on a USB drive I keep at home in a small safe.
my FATHER co-worker's sister-in-law makes $73 /hour on the computer . She has been without a job for nine months but last month her check was $20283 just working on the computer for a few hours. This Sitemore information>>>>>>>>>>>http://ow.ly/iBXm30dNtIZ
What's the best way to backup the private key on your yubikey? Do you just generate it on your computer instead of on your device, and then back that up?
Generally a good way to do this is via GPG subkeys. You keep your master/certifying key offline, in your safety deposit box, and load a subkey onto your Yubikey. If the Yubikey is lost, you can easily revoke the subkeys and generate new ones.
Thanks for the link. I started reading through that, and it is quite involved. I'm still deciding if it's worth it.
I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.
Yes -- revocation is just an indicator of the subkey's trust going forward. Once revoked, the user would generate a new subkey and re-encrypt their password wallet. While the git features and multi-key capabilities of pass lend well to very lightweight team usage, the model is definitely best suited for use by an individual.
Sorry, to clarify, you need to keep a backup of all subkeys along side your master/certifying key. Data encrypted to a given subkey can only be decrypted by that same subkey.
Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.
Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)
I have the same setup, but I haven't yet been able to get the Yubikey Neo to work as a GPG key on android via NFC. It prompts for a PIN, but the PIN I use for GPG on linux isn't accepted. There's also no working windows client for this setup, so I find I have to manually copy a lot of 20 character complex passwords by hand these days.
The only problem I got with the password store application is that the Git integration seem to be a bit broken.
It often refuse to push, pull or sync depsite having no conflict.
But you just have to delete the store and pull everything again, so it's not a huge problem.
I don't think the git integration can be broken. You can go into the ~/.password-store directory yourself and see what is going on next time you have issues (it's just a regular git repo).
Note that pass was developed (and is maintained) by Jason Donenfeld (zx2c4), the same person who developed Wireguard, the new VPN protocol.
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
GPG is FIPS 140-2 compliant (though pass itself might not be, depending on the specific way it's used). Most likely pass would have to use GPG in a specific FIPS-compliant mode to pursue validation.
GPG has a FIPS mode that will use FIPS 140-2 primitives.
But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).
I love Pass, but the problem I've had is that I always feel like I have to spend a bunch of time setting it up when I'm on Windows.
I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.
That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.
the nonexistent browser support makes it even more troublesome to setup. there is some support on linux systems, but windows is plain out of luck
i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.
yes, as i said before. there is some support for linux systems. i'm using both linux and windows as well as android. my password manager will need to support and autofill on all environments with at least firefox and chrome.
pass got linux covered (both chrome and firefox), but doesn't really work for winndows.
android is really tiresome as well, as there is no way to skip my long masterpassword in favour of a fingerprint. I know, its not easy to implement that feature securely.
Please understand that browser integration is the Achilles' Heel of password managers. While you get the convenience of autofill, you're also bringing access to your password database into the browser's attack surface. Bugs in the browser sandbox or improper extension implementations can allow rogue sites to get the goods. There have been multiple instances of major password manager extensions leaking secrets just in the last year.
Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).
I agree that browser integration is troublesome. To circumvent having to use a browser extension I use rofi-pass[0] which is a external script (using rofi/dmenu and pass), so no browser integration. But it features autofill which is extremely convenient.
It's somewhat easier with Bash on Ubuntu on Windows, tho kinda broken (because the copy to clipboard feature doesn't work out of the box unless you're running an X server).
But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.
With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.
I think pass is awesome if you have the workflow that supports it, but for the vast majority (myself included) it's entirely too difficult to setup and maintain. Particularly if you're using Windows regularly.
Setup is a bit of a pain, but what workflow is required? I just keep a Cygwin window or a Bash on Ubuntu on Windows window open and tab over when I need a password. With the shell auto-completion I find it easier to use than other password managers, tho I prefer not using my mouse so I'm surely biased about that aspect.
I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.
The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.
Well, I'm talking from a non-developer perspective. I don't use Git daily, so I had to stand up my own Git instance or pay Github for a private repo.
PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.
Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.
I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.
I use a 'remote' repo in Dropbox (and I use git-remote-gcrypt so that the remote repo is fully encrypted, i.e. even file and directory names), so you don't strictly need your own server.
I've seen pass mentioned like a million times but I didn't realize there were so many third party extensions for it, the comments here are pretty helpful. Thanks for the submission!
211 comments
[ 3.1 ms ] story [ 172 ms ] thread- There's no builtin GUI
- Each entry is its own file
- You control the storage format (meaning it's easy to store any kind of information, not just passwords)
- It relies on GPG, so you need to set that up first
pass -c (or --clip) does that for you.
Wrong, pass provides the -c flag which puts it in your clipboard and clears it after a timeout.
Of course one has to set it up, it's not an integrated solution. But GPG provides interesting features like storing encryption keys on hardware devices. Some devices like Yubikeys can have touch-to-use enabled. So each use of a secret requires a touch (after PIN but that's once a session). Perfect combination of convenience and security for me.
Do you mean this:
> YubiKey challenge-response support for strengthening your database encryption key
From https://keepassxc.org/blog/2017-06-26-2.2.0-released/
Then it's not clear for me how this works exactly.
In Keepass, there's a textarea associated with each password entry, which can be used to store extra data like security questions, etc.
Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?
The only way this kind of auditing could be trusted is if all the secrets are stored on the server that implements the auditing, which is exactly the model I believe that most users of `pass` are trying to avoid.
There will always be a person with admin (or master password) access who can edit logs or bypass them entirely, but this is suppose to be a person who has the final responsibility in the team's 'chain of command'. The audit log exists so that this very admin can monitor the logs for suspicious behavior and clean up the passwords after a team member leaves. Hence, having the ability to decrypt the db with a master password is irrelevant as the master password should only be accessible to the admin.
Rule zero of security is that you can't ask people to forget things. If they had knowledge of a shared secret and they're not supposed to going forward, then that shared secret needs to be changed.
I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).
I did a write up on it a while back at https://nickjanetakis.com/blog/managing-your-passwords-on-th....
I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.
But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).
[0]: https://github.com/spwhitton/git-remote-gcrypt
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.
https://github.com/carnager/rofi-pass/
Gets me really close to the holy grail of password managers. Browser integration is possible too with PassFF:
https://github.com/passff/passff
I think a better idea would be to fill in the password through something like xdotool
A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
The clipboard feature is helpful in pass, when I have someone standing over my shoulder or connected to a projector.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.
Search for qr on the python package index using pip. There's a module that you can pipe text to and then it'll render a qr code in your terminal using Unicode glyphs. Worked well last I tried. Don't remember what the module was called but you'll be able to find it I som sure.
Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.
My parents don't speak English. Not everyone does.
That's what you're paying 1Password for.
The situation is particularly painful for security critical software like password managers and disk encryption. Commercial software could be keeping a rot-13 copy of the database on an anonymous ftp server for all I know (or, worse, be written for a leaky JavaScript sandbox).
The open source stuff generally stalls out after the first 90% of the functionality is there, and the second 90% of the work remains.
Encryptr uses their no-knowledge cloud. It's pretty cool and their processes are openly documented.
It's convenient yes, but I prefer one encrypted file that contains it all.
There is a concept for 'defense in depth', saying that every component should be secure on its own and not rely on other components.
See https://github.com/roddhjav/pass-tomb
However keep in mind it's not always a big "issue", for instance only looking at your browser history will retrieve the same knowledge.
Pass is pretty much a glorified bash script using GPG and Git.
Adding filename encryption on top would be a nightmare, not to mention that terminal suggestions would be pretty much broken.
You can always write an (encrypted) index file that contains a simple list of all domains.
I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.
https://github.com/gioele/pw
In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.
The file format is git-compatible and everything can be managed with standard command line tools.
I think this is something the browser should offer by default.
I know, it's not perfect, but it beats carrying around password files between devices.
By the way, I'd prefer to have a password manager on my phone (or smartwatch), and have it beam my password to my keyboard by NFC. But this solution does not exist yet.
[0] https://chiselapp.com/user/rkeene/repository/hunter2/
Other things I do:
* store all the files as .toml files so I can rip specific keys with a custom script.
* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.
* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.
* use syncthing to keep all devices up to date.
It's pretty slick workflow IMHO
[0] https://git.zx2c4.com/ctmg/about/
[0]: https://github.com/zeapo/Android-Password-Store
[1]: https://github.com/open-keychain/open-keychain
Edit: yeah for ctmg support, probably have to hold out for something like PostMarketOS to save us.
[0]: https://pastebin.com/raw/FYMean1q
The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.
Here's a nice tutorial on it: https://www.jfry.me/articles/2015/gpg-smartcard/
I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.
If I generate 2 subkeys, can they both encrypt and decrypt my passwords? The only difference is that I can revoke them independently?
Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.
Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)
I definitly have to try the yubikey integration !
[1]: https://termux.com
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
That's a bonus until you need to demonstrate FIPS 140-2 validation.
But you'll have a finding an audit in some circumstances as it hasn't been validated. I've seen cases where they'll miss that if it's running on RHEL, but it's a risk.
To illustrate my point, look at the elaborate loop to iterate over *.gpg files: https://git.zx2c4.com/password-store/tree/src/password-store...
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).
I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.
That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.
i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.
https://addons.mozilla.org/en-US/firefox/addon/passff/
https://addons.mozilla.org/en-US/firefox/addon/pass-manager/
pass got linux covered (both chrome and firefox), but doesn't really work for winndows.
android is really tiresome as well, as there is no way to skip my long masterpassword in favour of a fingerprint. I know, its not easy to implement that feature securely.
Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).
[0] https://github.com/carnager/rofi-pass
But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.
With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.
Today I found this, need to check it out: https://github.com/Baggykiin/pass-winmenu
I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.
The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.
PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.
Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.
I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.
I use a fish script to hook it up to https://github.com/junegunn/fzf for easy search and copying to the clipboard. https://github.com/zabil/thanksforallthefish/blob/6145e98691...
Found out I needed GPG, and some encryption key or ID and whatnot. I have no clue what these things are and would like to know.
How can I learn about this encryption stuff like keys and RAS and whatnot? (Books n Articles)
https://wiki.archlinux.org/index.php/GnuPG https://wiki.archlinux.org/index.php/Pass
The simplest way to create your gpg-id is with:
$ gpg --gen-key
Fill in your name and email in the prompts. When it tells you it needs to generate a lot of random bytes, you'll probably want to do something like
$ find /
to generate disk entropy for gpg to pull enough random bytes from /dev/random to create your keys.
You can use the email you provided as the gpg-id you give to pass
$ pass init $email
I would claim that there isn't a more convenient password management solution than this.