Pass: Unix Password Manager

Posted by Bogdanp 8 hours ago

Pass: Unix Password Manager(www.passwordstore.org)

164 points | 88 comments

rendaw 2 hours ago|

There's a ton of positivity here, but on the balance there are some significant issues with pass that I think bear mention:

- The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in.

- `pass generate` to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use `generate` to get a new password it'll wipe out your secret question answers.

- It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful and IIRC the command line tools were very hard to use for reviewing/restoring passwords when you mess up updates, etc.

- The name makes it nearly impossible to search for

I've been working on something similar... although with slightly larger scope (intended to be used within containers/sandboxes) https://github.com/andrewbaxter/passworth

maxmoehl 15 minutes ago||

> It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful and IIRC the command line tools were very hard to use for reviewing/restoring passwords when you mess up updates, etc.

pass sets up a .gitattributes and configures git to convert gpg files to text via a custom driver. This enables a text-diff of the encrypted contents out of the box (at least for a store I've just set up to test this).

  ~/.password-store # cat .gitattributes
  *.gpg diff=gpg
  ~/.password-store # cat .git/config
  # ...
  [diff "gpg"]
          binary = true
          textconv = gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent

stevekemp 58 minutes ago|||

For the structure I "solved" that problem by creating folders with three main files:

    Websites/foo.com/username
    Websites/foo.com/password
    Websites/foo.com/email

Sometimes I add "/notes" with unstructured text contents, and for a few special cases I created a file "/json" with some machine-readable things in JSON format.

It's not perfect, and I do dislike the way that the metadata isn't encrypted, but on the whole I'm happy with the solution.

rendaw 41 minutes ago||

Yeah sure, but then are the conventions you came up with shared by all the tools in the ecosystem too (ex: browserpass)? Since the keystone (pass) declined to provide strong guidance, you end up with fragmentation and incompatibility.

stabbles 1 hour ago|||

> - The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in.

Fair, but you can use your own conventions.

> - `pass generate` to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use `generate` to get a new password it'll wipe out your secret question answers.

Just split it into `site/pass`, `site/secret-question`, etc. The fact that it's just using a directory tree is quite nice.

> It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful

`git diff` would be an odd command to run on generated passwords even without encryption. What matters is that you know when the last change was for a password or site with `git log <file/dir>`, and you can just `git checkout -d <old commit sha>` if needed.

> - The name makes it nearly impossible to search for

in the terminal `$ pass` typically suggests the associated package.

eptcyka 26 minutes ago||

`pass git diff` decrypts the passwords for me.

mid-kid 1 hour ago||

"pass generate" has a -i flag to only replace the password in a file (assumed to be the first line)

enkrs 4 hours ago||

Browser password managers with passkeys are more convenient for me, but a pass vault can still be useful for recovery codes and API keys.

I used pass for a while but couldn’t see what threat model it actually solves:

If you let GPG agent cache your key, any script (e.g. an npm post-install) can just run `pass ls` or `pass my/secrets` and dump all your credentials. At that point it’s basically just full-disk encryption with extra steps—might as well keep everything in ~/passwords.txt.

If you don’t cache the key, you’re forced to type your long GPG password every single time you need a secret.

I tried a YubiKey for on-demand unlocking, but the integration is clunky and plugging it in constantly is a pain if you need passwords multiple times per hour.

I eventually switched to Bitwarden.

aborsy 3 hours ago||

That’s true for any password manager. If the database/store is unlocked (so the master password is cached or available in RAM), all passwords can be extracted. You have to lock the password manager when you don’t need it.

In fact, with Bitwarden, the cached password is exposed to the browser that has a large attack surface (including interacting with random remote servers). There was just a vulnerability in most browser based password managers including Bitwarden that would allow a remote attacker trick a user send out their passwords.

I use Bitwarden but mostly for non-critical passwords.

charcircuit 1 hour ago||

>That’s true for any password manager

Modern operating systems isolate individual apps such that a malicous app can not access the RAM of another app. There is a difference between not making an effort to protect passwords and requiring an OS exploit to do so.

codethief 50 minutes ago|||

Memory isolation doesn't really help, though. If you have a malicious process running under the same user account as your password manager, it's still game over since that process could e.g.

- capture keyboard input - capture your screen - silently install browser extensions to capture your credentials - modify your shell config, .desktop files, $PATH, … to have you e.g. call a backdoored version of your password manager, or put a modified version of sudo on your $PATH that logs your password (=> root access => full memory access) - …

charcircuit 36 minutes ago||

For modern operating systems capturing keyboard input is locked down to avoid keyloggers. Capturing your screen requires explicit user permission to do so, popping up a dialog. Apps are isolated so another app can't interfere and install a browser extention or modify shell configs, etc.

aborsy 51 minutes ago|||

The OS protections apply to all applications. In addition, the job of agents like gpg-agent or ssh-agent is to protect secret keys while they are cached (like preventing OS writing keys to swaps). You can configure them to erase keys after a certain time, require user’s confirmation for each key operation, store gpg keys in internal TPM or external hsm, and would talk to the agent through specific sockets.

Unlike browser-based password managers, the agents don’t continuously interact with the browser code and remote elements (probably don’t have network access at all).

One area that matters that I forgot to mention in my comment below is that, as a result of all above, Pass doesn’t check the domains and doesn’t protect against phishing. There might be extensions, but at that point, you might as well use keepassxc.

eptcyka 24 minutes ago|||

You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key.

My main issue with pass is that it doesn’t work great on iOS with yubikeys.

puffybuf 2 hours ago|||

I store my passwords on an encrypted file partition sqlite database. My script grabs the pass and immediately closes the partition afterwards.

You can also just encrypt your passwords into individual encrypted files (one for each password) and have your script clear the gpg agent after a passfile is decrypted.

yehoshuapw 58 minutes ago|||

it took a while to get it to work well, but I use yubikey here, and recommend it. I do need to find and pulg it in sometimes, but overall might leave it plugged in. and I have it configured to require a touch for every operation

justusthane 4 hours ago|||

> a pass vault can still be useful for recovery codes and API keys

You might already be aware of this, but Bitwarden also has a CLI client that can be used for this purpose, at least casually.

ggiesen 3 hours ago||

And can run a local webserver to expose an API (though they still need to tighten up security on it)

komali2 2 hours ago||

I can't remember how but pass for me works in brave browser and Firefox, as well as on mobile. It's my only password manager. I'm assuming some browser plugin.

drnick1 6 hours ago||

This is interesting for CLI lovers, but I feel KeepassXC on desktop + KeepassDX on Android (with the password DB stored on my own machine and accessed remotely via Wireguard) is a better solution for normies.

mid-kid 54 minutes ago||

The only use case of mine that's not solved by keepass is creating passwords on two separate machines without a direct connection, and merging them later.

elevation 5 hours ago|||

Don't forget keepassxc.cli, which allows you to programmatically set and retrieve secrets. The interface is significantly more user friendly arcane. I used it when I needed to build an encrypted secrets bundle (so that one long password could temporarily unlock some API keys required for a disaster-recovery situation.) I was able to generate a single file plus a "Makefile" to unlock it and pass the keys into the appropriate environments.

I had attempted to use GNU `pass' first, but sadly, it requires me to manage gnupg, which is a well known minefield of poor default options, and assumes it should be integrated into your shell by storing things in your user profile directory (instead of using the directory relative to where you call it.) This jeopardized my copy-one-file workflow, so despite its ubiquity I had to abandon it.

shikaan 2 hours ago|||

Shameless plug. I built a tool[1] to manage Keepass archives in the terminal which might scratch some of the itches I am reading here: it has a TUI, but can be piped into other commands too.

[1]: https://github.com/shikaan/keydex

laszlojamf 2 hours ago|||

"Normies"? Everything is relative, I guess. I use 1Password and just hope for the best.

usr1106 1 hour ago||

Right. Having an own machine 24/7 online and setting up wireguard to it does not sound very typical.

I use pass myself and I don't care about mobile. But I really don't know what to recommend family members.

bramgn 4 minutes ago||

I use pass also on my phone in combination with Termux. I keep the passwords stores in sync using git. pass on android also supports copying your password directly into the clipboard, which is especially nice on a mobile device.

PhilipRoman 2 hours ago|||

FYI for desktop there is a "passmenu" script that you can bind to a key in your DE/WM.

hyperpl 5 hours ago||

Any particular reason for remote access via wg and not via syncthing? I'm also curious how you access it via wg on Android?

drnick1 3 hours ago||

I already use WG to access other services running on my LAN. The DB is on a Samba share, and I use KeePassDX as a client on my phone (GrapheneOS).

msravi 5 hours ago||

There's also the pass-otp extension that generates OTPs!

https://github.com/tadfisher/pass-otp

The pass android app is really nice too

https://play.google.com/store/apps/details?id=dev.msfjarvis....

It also works in termux

Kwpolska 53 minutes ago||

> This app isn't available for your device because it was made for an older version of Android.

And no, those apps don't work great, because they involve some clunky GPG app.

ninjin 3 hours ago||

Thank you for sharing. My solution has been to dump small scripts like this in ~/bin:

    #!/bin/sh
    
    set -eu
    
    k=$(pass ARG)
    oathtool -b --totp "$k"

echo42null 57 minutes ago||

Best practice question for syncing pass across devices: Since exporting and re-importing the private key to a phone seems risky, is the recommended approach to generate a separate GPG key pair on the mobile device and re-encrypt secrets to it?

lucb1e 5 hours ago||

This is fun if you never leave yourself, but be wary with whom you share it. As a company password manager, there is no way to know who's accessed which secret across their lifetime at the firm so you get to change all the passwords constantly. (Or none, if you can't be bothered.) (Don't ask.)

Or if someone newly needs access, there's no standard way of re-encrypting the files you're guessing they need. You need to hack something together yourself

It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client

There is no way to ever erase anything you've accidentally pushed, short of rewriting the git history and breaking it for everyone (or for personal use: other client devices)

It looks nice and simple, and I like that I can interface with it with manual tools (e.g. write my own commit messages to have some idea of wtf is going on, e.g. when mass-reencrypting to not have 300 commits), but the simplicity is also the pitfall. Feels a bit similar to using hash(site_name+main_password) as a per-site password: beautiful in simplicity but various practical issues

Does anyone have good experiences with a password manager for a corporate environment? Ideally not having yet-another service to maintain, but also not have a server compromise equal business compromise (so end-to-end encryption between the users; verifying fingerprints or some such). From what I found so far, Bitwarden seems to meet that bill but I don't know if there are also others

ganomi 2 hours ago||

I have no practical experience yet, but i evaluated the market for a password sharing solution for a team with similar requirements within an enterprise.

Another option in that area is https://www.passbolt.com/

It uses a public/private key approach, where the plain passwords never leave the local machine and shared passwords are re-encrypted with each users public key.

supriyo-biswas 5 hours ago|||

My current employer uses 1password and it has a couple of nifty features like "vaults" shared with a group of people, an "op run" command to inject secrets using a .env file, service accounts to fetch passwords in CI, etc.

conception 4 hours ago||

It has dev environments now too! https://developer.1password.com/docs/environments/

ggiesen 3 hours ago|||

Bitwarden is pretty usable, we use it at our org, and while still has a rough edge or two for corporate use, gets better all the time.

62 5 hours ago||

I agree

commandersaki 23 minutes ago||

I love Jason Donenfeld’s work, but I don’t really see the point of pass compared to using an encrypted text file, the latter being far more ergonomic.

ragnot 7 hours ago||

If you are using age instead of GPG for encryption purposes, I've found this to be useful: https://github.com/FiloSottile/passage

networked 2 hours ago||

There are also other pass-like password managers that use age. The developer of one has made a comparison table: https://gitlab.com/retirement-home/seniorpw/-/tree/02dc02d1e.... (Disclosure: pago in the table is mine.)

echo42null 45 minutes ago||

How would you build a dead man’s switch for pass? I’d like my family to be able to access my store if I disappear, but not before. The obvious problem: to re-encrypt for their keys I’d need my private GPG key running somewhere, which defeats the point. Has anyone solved this cleanly without leaving a hot key around?

arccy 10 minutes ago|

key sharding with a trusted third party? computer systems can't know of your death, or even true time, so you have to trust something like a company holding the secrets for you, or your lawyer...

WD-42 5 hours ago|

Pass is still amazing after all these years. Shameless self plug: I wrote a gnome search provider for it so you can lookup passwords from the overview. Supports OTP as well. https://github.com/Fingel/ripasso-gnome-search-provider

More comments...