Pass: Unix Password Manager

Posted by Bogdanp 13 hours ago

Pass: Unix Password Manager(www.passwordstore.org)

197 points | 93 commentspage 3

andrewrn 10 hours ago|

Growing tired of Bitwarden in the browser, so this is pretty intriguing. But its hard to forgo mobile compatibility.

Kwpolska 5 hours ago||

Try KeePassXC on desktop, KeePass2Android on mobile (there's something on iOS too).

There are some pass apps for Android, but they're a pain to use.

lytedev 9 hours ago|||

Bitwarden has a desktop GUI app as well as an official CLI. If you're comfortable with it, there are also community ones like https://github.com/doy/rbw

acaloiar 10 hours ago||

No need to forego mobile if you're on iOS [1].

1. https://apps.apple.com/us/app/pass-password-store/id12058205...

nixpulvis 10 hours ago|||

This app wasn't working for me last time I tried it. Granted that was a few years ago.

cl3misch 6 hours ago||

For me it's working very well, now even using my own git remote in tailscale.

This app is keeping me on iOS as there is no single-app replacement on Android afaik.

andrewrn 10 hours ago|||

Holy shit... this is dope as hell. Thank you

obk0943t 11 hours ago||

There is still no just-download clients for pass on mobile which I think is why it's not a good option

notpushkin 10 hours ago||

There’s one for Android, though it has been looking for a new maintainer for a while now: https://github.com/android-password-store/Android-Password-S...

Edit: looks like there’s a community fork now! https://github.com/agrahn/Android-Password-Store

tretiy3 7 hours ago||

Life saver! New version lacks OpenKeychain integration (they discuss in issues that it is also no longer maintained). Abandoned version of Android Password Store had some issues with embedded PGP manager and was not working for me. But this fork works!

cramsession 10 hours ago|||

I ssh in from my phone, which works pretty well.

bharrison 10 hours ago||

Same

mattacular 9 hours ago|||

there is for iOS - passforios - https://apps.apple.com/us/app/pass-password-store/id12058205...

works great.

braincat31415 10 hours ago||

I use it inside termux on android. There is a termux pass package. But it might be hard to input a complex decryption password on the phone keyboard.

nixpulvis 10 hours ago||

I use pass a good amount, but I wish there were better OS/mobile integrations.

wfleming 9 hours ago|

What kind of mobile functionality were you looking for? The (unofficial) iOS app is pretty good IMHO and integrates with iOS’s OS-level password filling, and also supports the pass-otp plugin’s format for 2fa codes if you use that plugin. There was a decent Android client I used a while back as well, though I don’t recall the name.

[1]: https://apps.apple.com/us/app/pass-password-store/id12058205...

avh02 9 hours ago||

Not the parent, but dwindling yubikey support (for gpg key storage) is an issue, had to pull out a legacy version on Android for it to keep working (they changed the underlying crypto library and lost the support there)

No ipad version I've found supports yubikey either

sgsjchs 11 hours ago||

Why would you want to store arbitrary individual passwords instead of deriving them with on demand from the service name/domain and a common secret?

snailmailman 11 hours ago||

If you are doing that,

- what if some site has weird password requirements and the derived password doesn’t work

- what if a site gets hacked and you need to rotate one password.

If you have to store data per-site anyway because of those cases, may as well just store passwords. You can (and should) still generate extremely high entropy passwords.

merlincorey 11 hours ago|||

Additionally, you can store other data for example one could have scans of important documents that are stored in Pass which means they are GPG encrypted and backed by a git repository so they are versioned and shared across multiple machines.

lucb1e 10 hours ago|||

indeed. Additionally:

- if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about

- there's no way to know what you've entered before, since it's stateless. With data stored in a manager, I know what username I used and can associate other data. If your uniqueifying input is the domain, and let's say HN would become hn.yc or whatever and you visit it again in ten years, you'd have to remember that hn.yc accepts the password of what you entered as news.ycombinator.com

I have to admit though, hash(name+secret)=password is so simple and beautiful that it draws IT people like a fine artwork draws visitors. But for me, that doesn't outweigh the practical issues

akerl_ 11 hours ago|||

Because the former works with any site and circumstance and the latter does not.

gmuslera 10 hours ago|||

Not all sites are safe, either by design or by people running them. Having a common secret+service name as password AND having at least one of those sites leaking your plaintext password could mean that your derivation may go public and all your other passwords and services fall because of that.

listeria 9 hours ago|||

presumably the derivation would involve a cryptographically secure, non-reversible function so as to not compromise the secret should one of them be leaked.

jibal 6 hours ago|||

"deriving them" != op<+>

rasengan 10 hours ago|

Another great software contribution to the world by Jason Donenfeld, creator of WireGuard!