Pass: Unix Password Manager

Posted by Bogdanp 9/13/2025

Pass: Unix Password Manager(www.passwordstore.org)

329 points | 181 commentspage 4

andrewrn 9/14/2025|

Growing tired of Bitwarden in the browser, so this is pretty intriguing. But its hard to forgo mobile compatibility.

lytedev 9/14/2025||

Bitwarden has a desktop GUI app as well as an official CLI. If you're comfortable with it, there are also community ones like https://github.com/doy/rbw

acaloiar 9/14/2025|||

No need to forego mobile if you're on iOS [1].

1. https://apps.apple.com/us/app/pass-password-store/id12058205...

nixpulvis 9/14/2025|||

This app wasn't working for me last time I tried it. Granted that was a few years ago.

cl3misch 9/14/2025||

For me it's working very well, now even using my own git remote in tailscale.

This app is keeping me on iOS as there is no single-app replacement on Android afaik.

acaloiar 9/14/2025||

If I were to go back to Android, I'd have to built the app first. Although I would built it with age support :)

andrewrn 9/14/2025|||

Holy shit... this is dope as hell. Thank you

Kwpolska 9/14/2025||

Try KeePassXC on desktop, KeePass2Android on mobile (there's something on iOS too).

There are some pass apps for Android, but they're a pain to use.

nixpulvis 9/14/2025||

I use pass a good amount, but I wish there were better OS/mobile integrations.

wfleming 9/14/2025|

What kind of mobile functionality were you looking for? The (unofficial) iOS app is pretty good IMHO and integrates with iOS’s OS-level password filling, and also supports the pass-otp plugin’s format for 2fa codes if you use that plugin. There was a decent Android client I used a while back as well, though I don’t recall the name.

[1]: https://apps.apple.com/us/app/pass-password-store/id12058205...

avh02 9/14/2025||

Not the parent, but dwindling yubikey support (for gpg key storage) is an issue, had to pull out a legacy version on Android for it to keep working (they changed the underlying crypto library and lost the support there)

No ipad version I've found supports yubikey either

j7ake 9/14/2025||

Combine pass with qtpass on osx and pass on iPhone and you’re golden

rasengan 9/14/2025||

Another great software contribution to the world by Jason Donenfeld, creator of WireGuard!

unixdevbsd 9/16/2025||

[dead]

sgsjchs 9/14/2025|

Why would you want to store arbitrary individual passwords instead of deriving them with on demand from the service name/domain and a common secret?

snailmailman 9/14/2025||

If you are doing that,

- what if some site has weird password requirements and the derived password doesn’t work

- what if a site gets hacked and you need to rotate one password.

If you have to store data per-site anyway because of those cases, may as well just store passwords. You can (and should) still generate extremely high entropy passwords.

merlincorey 9/14/2025|||

Additionally, you can store other data for example one could have scans of important documents that are stored in Pass which means they are GPG encrypted and backed by a git repository so they are versioned and shared across multiple machines.

lucb1e 9/14/2025|||

indeed. Additionally:

- if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about

- there's no way to know what you've entered before, since it's stateless. With data stored in a manager, I know what username I used and can associate other data. If your uniqueifying input is the domain, and let's say HN would become hn.yc or whatever and you visit it again in ten years, you'd have to remember that hn.yc accepts the password of what you entered as news.ycombinator.com

I have to admit though, hash(name+secret)=password is so simple and beautiful that it draws IT people like a fine artwork draws visitors. But for me, that doesn't outweigh the practical issues

akerl_ 9/14/2025|||

Because the former works with any site and circumstance and the latter does not.

gmuslera 9/14/2025|||

Not all sites are safe, either by design or by people running them. Having a common secret+service name as password AND having at least one of those sites leaking your plaintext password could mean that your derivation may go public and all your other passwords and services fall because of that.

listeria 9/14/2025|||

presumably the derivation would involve a cryptographically secure, non-reversible function so as to not compromise the secret should one of them be leaked.

jibal 9/14/2025|||

"deriving them" != op<+>