The "Password Store" app on Android is compatible with `pass` and supports Git and NFC for using the Yubikey Neo to decrypt the passwords.
I definitly have to try the yubikey integration !
[1]: https://termux.com
It's convenient yes, but I prefer one encrypted file that contains it all.
See https://github.com/roddhjav/pass-tomb
However keep in mind it's not always a big "issue", for instance only looking at your browser history will retrieve the same knowledge.
I can store the encfs encrypted tree on cloud storage (spideroak in my case) and have it synched across machines. Works pretty well.
There is a concept for 'defense in depth', saying that every component should be secure on its own and not rely on other components.
In pw each password database is a single file, the internal indexes are random IDs. Each line in a database is a serialized GPG file with a password and associated metadata.
The file format is git-compatible and everything can be managed with standard command line tools.
If you do not want to synchronize your vault among all your devices, but still want to have a unique password per site, try LessPass[1]. LessPass is a stateless open source password manager.
Disclaimer I am the creator of LessPass
One benefit of the password-protect-text-file method over Lesspass is you can also save answers to so-called "security questions" (for those sites that still use them, like Paypal and government sites).
Alternatively, one can use Schneier's write-down-password-on-a-small-piece-of-paper method.
https://www.schneier.com/blog/archives/2005/06/write_down_yo...
I have all this stored in my Linux box. I backup to my server side encrypted AWS S3 bucket protected with 2FA. No need for me to sync anything, but if I need access to my VeraCrypt file, I can download it when required.
I've used this method for two decades now, first using OSX .dmg files, then TrueCrypt, now VeraCrypt. Simple, and works well.
The list differences to LastPass is long.
Pass is OpenSource. Pass doesn't store your information on anybody else's computer by default. Pass has not first party browser plugin and is therefore not open to attack through browser plugin holes.
On the other hand you control everything by yourself including batch updating your passwords. And there's no online service.
There is no need to put anything on someone else's computer.
- There's no builtin GUI
- Each entry is its own file
- You control the storage format (meaning it's easy to store any kind of information, not just passwords)
- It relies on GPG, so you need to set that up first
In Keepass, there's a textarea associated with each password entry, which can be used to store extra data like security questions, etc.
pass -c (or --clip) does that for you.
Wrong, pass provides the -c flag which puts it in your clipboard and clears it after a timeout.
I understand it's the standard UNIX password manager, so I suppose I don't have a ton of room to complain, and most of my computers are Mac or Linux, so it's not a huge deal, but I think it increases the barrier of entry a ton of people.
That said, I think Pass is awesome, and having my passwords stored in Github makes me really happy.
But yeah, I kinda don't like using Gpg4Win with Cygwin, which is what I'm guessing you've used too.
With the "Creators Update" there's now a `clip.exe` to which one can pipe so maybe it's not too hard to update Pass, which is itself just a Bash script.
i Really like the idea of pass, but ill never accept copy pasting logins/passwords again. they'll need to be automatically inserted on a matching website. everything else is too much manual overhead for my taste.
Copying and pasting may be annoying, but it's much safer, especially if you use a program that will autoclear your clipboard for you (KeePass 2 does this after 12 seconds by default).
https://addons.mozilla.org/en-US/firefox/addon/passff/
https://addons.mozilla.org/en-US/firefox/addon/pass-manager/
Today I found this, need to check it out: https://github.com/Baggykiin/pass-winmenu
I think this is something the browser should offer by default.
I know, it's not perfect, but it beats carrying around password files between devices.
Other things I do:
* store all the files as .toml files so I can rip specific keys with a custom script.
* Have a directory for web so `pass web` will give me all websites. Have a script to fill username pass for each.
* Have a directory for contacts. Then wrote a script to generate vCard files by crawling and pulling keys, base64 profile images and all.
* use syncthing to keep all devices up to date.
It's pretty slick workflow IMHO
[0]: https://github.com/zeapo/Android-Password-Store
[1]: https://github.com/open-keychain/open-keychain
Edit: yeah for ctmg support, probably have to hold out for something like PostMarketOS to save us.
This post seems to have saved me the trouble of Googling myself. I am installing on the Mac and iOS as we speak.
Speaking from recent experience migrating non technical users to 1Password, while something like pass might work well for me/the typical HN user, there's no way I'd try to get family to use it. I have found the overall 1Password user experience to be very friendly and reliable, but am still semi regularly having to help family figure out/re-explain something about how it works. They'd be lost with something like pass.
My parents don't speak English. Not everyone does.
That's what you're paying 1Password for.
Encryptr uses their no-knowledge cloud. It's pretty cool and their processes are openly documented.
https://github.com/carnager/rofi-pass/
Gets me really close to the holy grail of password managers. Browser integration is possible too with PassFF:
I think a better idea would be to fill in the password through something like xdotool
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
I like it because you can use it to store sensitive info along with metadata, not just single field passwords. It's also super easy to access the info on the command line with ways to auto-copy passwords to your clipboard (which expires after 45 seconds).
I did a write up on it a while back at https://nickjanetakis.com/blog/managing-your-passwords-on-th....
I remember seeing some guy who had his `pass` Git repository public on GitHub and challenged the world to crack any of them. Myself, it's just git+ssh to a repository on my own server.
But personally I use a different approach. I rolled my own little rsync script that syncs files that I care about (passwords and other things) between my workstation and Chromebook (I run Linux natively on it).
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.
Really? What if s/he just decrypted the file themselves and had a look at the content, rather than using the convenient wrapper that a password manager provides?
Not that my opinion is worth a whole lot, but this is the password manager I would choose to use if I wasn't using 1Password. Where many other password managers use convoluted constructions with (e.g.) AES and PBKDF2, this is very straightforward GPG.
To illustrate my point, look at the elaborate loop to iterate over *.gpg files: https://git.zx2c4.com/password-store/tree/src/password-store...
This looks to me like the correct way to do this in bash, as long as you can guarantee that $PREFIX does not start with whitespace (which may be a valid assumption here).
From what I can tell, the code quality is way better than what you see in your average bash script.
That's a bonus until you need to demonstrate FIPS 140-2 validation.
- It forgets my github password everytime i upgrade - I honestly don't like the fact that I can't turn off the pin. 4 digits with unlimited retries. - It can't merge sometimes. I think they should be more aggressive about git rebase
I created a seperate ssh key and did this on my server https://superuser.com/a/444899
If you can't that's definitely gotta be an issue in their backlog. Seems more robust to have a key for an application to connect with that you can simply revoke.
I was previously using Password Safe, on Windows, and various compatible alternatives on Linux and Mac OS. Years ago I had tried using a single 'safe' synced via Dropbox but that was a big pain in the ass because sometimes I'd inadvertently lock the safe file by, e.g. starting to add a new password but not finishing. So instead I created a separate safe file for each computer or device. To sync new passwords or changes to existing passwords I'd have to periodically merge all of the safes and manually cleanup any conflicts between them.
The main reason why I switched to Pass is that syncing the password stores on each of my devices is so much easier using Git.
PassFF works well for Firefox on my Mac, but no equivalent for Windows. If you're willing to forgo browser integration then that's less of an issue.
Lack of browser integration might also be less of an issue in Linux with dmenu or rofi plugins like others have mentioned, but that still doesn't solve Windows issues.
I had considered the Bash/Ubuntu/Windows option (instead of qtpass) but haven't tried it yet.
Found out I needed GPG, and some encryption key or ID and whatnot. I have no clue what these things are and would like to know.
How can I learn about this encryption stuff like keys and RAS and whatnot? (Books n Articles)
https://wiki.archlinux.org/index.php/GnuPG https://wiki.archlinux.org/index.php/Pass
The simplest way to create your gpg-id is with:
$ gpg --gen-key
Fill in your name and email in the prompts. When it tells you it needs to generate a lot of random bytes, you'll probably want to do something like
$ find /
to generate disk entropy for gpg to pull enough random bytes from /dev/random to create your keys.
You can use the email you provided as the gpg-id you give to pass
$ pass init $email
It's basically a rotation manager ! Very powerful and lets you properly change your passwords regularly on many websites (like the proprietary Dashlane Password Changer or Lastpass' similar feature).
But I ended up storing everything into one single encrypted file, rather than having one file per password. Though I see the point about the UNIX philosophy (i.e. "everything is a file"), but that way you'd leak information, i.e. what the passwords stored are for.
Anyway, I'd appreciate any feedback on mypass.
I use a fish script to hook it up to https://github.com/junegunn/fzf for easy search and copying to the clipboard. https://github.com/zabil/thanksforallthefish/blob/6145e98691...
.git/hooks/post-commit
#!/bin/sh
git push origin masterI would claim that there isn't a more convenient password management solution than this.
Would I like to move to something that isn't stored online? Yes, of course but I haven't found a decent solution that works everywhere.
Any recommendations?