pass - the standard unix password manager
Password management should be simple and follow Unix philosophy. With pass,
each password lives inside of a gpg encrypted file whose filename is the
title of the website or resource that requires the password. These encrypted
files may be organized into meaningful folder hierarchies, copied from
computer to computer, and, in general, manipulated using standard command
line file management utilities.
Upside is that it has ton of implementations readily available - browser integration, mobile apps, etc. Linked one (passbox) is just a bash script at the moment, if one wants to use it across multiple devices and platforms, the experience may be quite rough.
Another upside is that with a single file model you have to invent your own conflict resolution scheme. For pass, git just does the trick. And this one doesn't seem to have anything in this regard.
The "entry" names (which I think would correspond to filenames in `pass`) appear to be passed on the command line here; they'll likely get swept up in your shell's history file, unless you're careful. (And thus, are essentially in the open, just like pass.) That said, I think most shells make their histfiles 600, so they're not directly readable. (And I think `pass`'s directory is 700, similarly.) And you have to trust the machine you're running on, of course; otherwise, I can just dump the memory as soon as your keyring is decrypted.
I think it was when `pass` was on HN that I mentioned this; I have a terminal keyring manager myself[1], but one of the design decisions I made in it (aside from a single-file archive) was to not pass entry names on the command line, specifically so they won't get swept up in histfiles. It's easy, though, it make it optional, and let the user decide what they want to do. Of course, your
[1] which is way not ready to be looked at… also seems like we as a crowd enjoy this topic (keyrings) as a side project.
Is this something that can't be fixed by directory perms?
Annoying amount of hubris.
This pile of unattractive bash-snippets is neither unix nor standard. Just call it what it is: A very dependent script that will probably work on most GNU/Linux distributions.
I had a play with 'pass' before but i wasn't keen on the way it splits the entries up into separate files which was one of the drivers for putting passbox together.
The only (somewhat big) downside to this, and related unix pw managers is the sheer lack of browser compatibility - mobile would also be nice, as that's one of the places where it's a PITA to use and enter long passphrases.
pass claims to have both, but doesn't:
https://github.com/jvenant/passff#readme does not work.
The iOS app has disappeared from github: https://github.com/rephorm/pass-ios#readme
It's solvable problems, I just find it a somewhat important part of a password manager.
Firefox and Chrome extensions are working, and I'm currently spending a few hours a week on migrating to the new Firefox-extension protocol.
Are there any security concerns of the password being in the clipboard/memory (beyond the obvious of accidentally pasting it)?
It would be possible to construct an attack using Flash to access a users clipboard form a web browser.
I know a lot of people like to have browser plugins for password managers but i always feel uncomfortable using them because i don't understand enough about the technology to trust that it wont be vulnerable.
pass [0] (see comment above [1]) claims to do that:
show [ --clip, -c ] pass-name
Decrypt and print a password named pass-name. If --clip or -c is specified,
do not print the password but instead copy the first line to the clipboard
using xclip(1) and then restore the clip‐board after 45 (or
PASSWORD_STORE_CLIP_TIME) seconds.
1Password is honestly the one app that has kept me from switching to Linux from OSX. Would love to see a decent open source alternative.
hash(website name + global password + increment) = password to use?
or something like it
Here's a quick analysis of pros and cons of password generators compared to password managers: http://crypto.stackexchange.com/a/5691/291
I used a password generator (my own) for a few years, and I'm happy to use a password manager now, which is safer and makes me avoid keeping certain information in my mind (e.g. if I already have an account on this website and what's my username for it).
The major downside is that site saying "your password must [not] contain blah-blah-blah"/"be N to M characters long"/"may contain only digits" when the generated one just happens to not conform to such restriction. In my personal experience, one out of dozen sites tries to be smartass about the passwords, so the scheme is a PITA in the long run.
Without the increment you also can't rotate password, while with the increment you need to store the increment value (and if you do keep the notes and the master secret, why not just remember the password already?)
The password managers are more flexible than password generators, because they don't have such limitations.
I have used this personally since I wrote it. Given the downsides, I agree that password managers are probably better for most people.