FRESH

Hacker News

Home

Pass: Unix Password Manager

329 points by Bogdanp

by rendaw

11 subcomments

There's a ton of positivity here, but on the balance there are some significant issues with pass that I think bear mention:
- The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in.
- `pass generate` to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use `generate` to get a new password it'll wipe out your secret question answers.
- It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful and IIRC the command line tools were very hard to use for reviewing/restoring passwords when you mess up updates, etc.
- The name makes it nearly impossible to search for
I've been working on something similar... although with slightly larger scope (intended to be used within containers/sandboxes) https://github.com/andrewbaxter/passworth

by enkrs

9 subcomments

Browser password managers with passkeys are more convenient for me, but a pass vault can still be useful for recovery codes and API keys.
I used pass for a while but couldn’t see what threat model it actually solves:
If you let GPG agent cache your key, any script (e.g. an npm post-install) can just run `pass ls` or `pass my/secrets` and dump all your credentials. At that point it’s basically just full-disk encryption with extra steps—might as well keep everything in ~/passwords.txt.
If you don’t cache the key, you’re forced to type your long GPG password every single time you need a secret.
I tried a YubiKey for on-demand unlocking, but the integration is clunky and plugging it in constantly is a pain if you need passwords multiple times per hour.
I eventually switched to Bitwarden.

by drnick1

9 subcomments

This is interesting for CLI lovers, but I feel KeepassXC on desktop + KeepassDX on Android (with the password DB stored on my own machine and accessed remotely via Wireguard) is a better solution for normies.

by lucb1e

7 subcomments

This is fun if you never leave yourself, but be wary with whom you share it. As a company password manager, there is no way to know who's accessed which secret across their lifetime at the firm so you get to change all the passwords constantly. (Or none, if you can't be bothered.) (Don't ask.)
Or if someone newly needs access, there's no standard way of re-encrypting the files you're guessing they need. You need to hack something together yourself
It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client
There is no way to ever erase anything you've accidentally pushed, short of rewriting the git history and breaking it for everyone (or for personal use: other client devices)
It looks nice and simple, and I like that I can interface with it with manual tools (e.g. write my own commit messages to have some idea of wtf is going on, e.g. when mass-reencrypting to not have 300 commits), but the simplicity is also the pitfall. Feels a bit similar to using hash(site_name+main_password) as a per-site password: beautiful in simplicity but various practical issues
Does anyone have good experiences with a password manager for a corporate environment? Ideally not having yet-another service to maintain, but also not have a server compromise equal business compromise (so end-to-end encryption between the users; verifying fingerprints or some such). From what I found so far, Bitwarden seems to meet that bill but I don't know if there are also others

by msravi

3 subcomments

There's also the pass-otp extension that generates OTPs!
https://github.com/tadfisher/pass-otp
The pass android app is really nice too
https://play.google.com/store/apps/details?id=dev.msfjarvis....
It also works in termux

by ragnot

2 subcomments

If you are using age instead of GPG for encryption purposes, I've found this to be useful: https://github.com/FiloSottile/passage

by denismi

5 subcomments

I recently moved away from pass after a decade or so.
Two main reasons:
1. This laptop up was set up with flatpak versions of all GUI applications, including Firefox, and the browser plugin just doesn't work. I persisted with the work-around of `pass -c <path>` from the run command prompt for a while to paste into the browser, but its not ideal.
2. I realised that the Android app was archived. There's at least one fork, but who knows how that will be maintained going forward. https://github.com/android-password-store/Android-Password-S...
For now I'm content with hosting vaultwarden and using various Bitwarden clients.

by dclaw

1 subcomments

Happy pass user for ~8 years now, have ~1300 passwords stored. No issues whatsoever. Use git to sync it across devices, totally awesome.

by tlamponi

0 subcomment

I like pass and use it a lot, especially as it provides a good and safe backup for the case my vaultwarden instance goes up in smokes.
There is also a drop-in replacement with has some extra features and a bit better UX in some parts, personally I only really use it for the better support for handling multiple GPG keys, as I got some physical backup keys and it can be also nice teams for a shared vault.
https://www.gopass.pw/
https://github.com/gopasspw/gopass

by WD-42

0 subcomment

Pass is still amazing after all these years. Shameless self plug: I wrote a gnome search provider for it so you can lookup passwords from the overview. Supports OTP as well. https://github.com/Fingel/ripasso-gnome-search-provider

by aborsy

2 subcomments

I have heavily used Pass over the years. Here are some of its pros (an update to my comment several years ago):
* Your secret key can be stored in Yubikey, handled by a dedicated OpenPGP agent. This allows deriving a strong key from a weak one. Your password is basically a short PIN with max 3 tries. Every password retrieval can require a physical touch. This is convenient and secure!
Pass makes sense if you use it with a hardware key, with touch enabled. With this setup, it’s hard to beat its security.
* It uses public key cryptography, and comes with its advantages. You don’t need your master password to add/encrypt passwords. You only need that for decryption. Less exposure of master key, and more convenience.
For that reason, it’s well suited to share passwords with other people or devices. You can encrypt to multiple public keys. This adds multi user and device support.
You can easily add a backup offline public key (which you may print) if you lose your Yubikey.
* You can decrypt a single password without decrypting and exposing other passwords. The passwords are isolated, if you use Yubikey.
* Searching passwords is quick and transparent. You easily see what is in your store.
* You can use it programmatically, eg, your backup script can grab a password from the store.
* It’s a short bash script that you can verify, and delegates encryption to a dedicated well-audited cryptographic tool.
* PGP is a standard, and GPG and git are widely available. There is no database to break or migrate. You can read your passwords anywhere and in the future.
* The script is written by the creator of the acclaimed Wireguard!
There are also cons.
* Some people don’t like that it leaks metadata (filenames, and password tree), though there are versions of pass that fix it.
* Lately gpg is causing some troubles with Debian Trixie. GPG agent frequently locks the Yubikey and requires restarting pcscd (probably due to conflicts with pcscd). There is a similar tool Passage using Age, maybe that solves it.
* There are mobile apps, but they are not as frequently updated as something like Bitwarden apps (which has client for every OS, and frequently fixes bugs and adds functionality).
* I haven’t used and not sure how good browser support is.
Here is a post on a similar password management with GPG replaced with Age
https://words.filippo.io/passage/

by hyperpl

0 subcomment

I used pass for many years and loved it. I sync'd my password store between 3+ devices including my Android phone using a git remote. I don't recall the exact reason - maybe the pass android client I had used for years went away? I decided to find the next best option and settled on keepassxc and KeePassDX. The backing store is a binary blob but it does surprisingly well via syncthing: autoupdate works and in the event of a conflict the db merge feature hasn't yet failed me.
Granted on the desktop I find using a (qt especially) GUI more invasive than a terminal but at least on the Android side the app is quite good.

by hamburglar

3 subcomments

I have a different approach I’ve used for about 10 years that I like a lot. All password metadata is stored in a plain JSON file indexed by name (usually site name). Each entry contains at the minimum a username. Optionally it has a version number and some password rules like the length (20 if absent) and the character classes that are allowed, along with how many of each character class are required. None of this data is sensitive, so if you look at the file you see my list of sites. The actual passwords are not stored, because my tool is actually a deterministic password generator, which prompts me for a passphrase and generates a password from the passphrase and a hash of all the metadata. One nice feature is that if I just change the version number I get a whole new password, and the “history” is still available by changing the version back.
The one major downside to it is that it is absolutely unusable for sharing passwords because obviously that would require sharing my passphrase, and there is no way to “store” a password that someone else set. I’ve thought about writing a mode that would encrypt a string (eg a shared password) with the metadata-generated password and store it in a separate piece of metadata for that purpose, but the number of times I’ve needed that has been extremely small.

by mjd

0 subcomment

I've been doing basically this for many years now.
Each password file is AES-encrypted with my master password.
I copy the whole vault around between machines with rsync.
When I run 'password bank' a shell script searches ~/private/Passwords for files that contain ‘bank’ and offers a menu, then gpg-decrypts the file I selected.
I also use this for scans of my passport, recording my bank account numbers, and anything else I want to keep around.
I thought I was the only one, and now I've found out there are thousands of us!

by 0fflineuser

0 subcomment

I love it. It is so simple and flexible.
But a life saver is using it with <https://github.com/skeeto/passphrase2pgp>.
This means we don't need to move gpg/ssh keys we can just recreate them by remembering their passphrase (and other stuff like the date if we want).
```
  # gpg key for the encryption of the password-store
  passphrase2pgp --subkey --protect=2 --uid "helloworld" | gpg --import

  #for access to the git remote repo add to it this public key :
  passphrase2pgp -u emergency -f ssh -p > ~/.ssh/emergency.pub
  #only use it to install a non-emergency key as a new authorized key :
  passphrase2pgp -u emergency -f ssh | ssh-add -
```
I read a blog post for the above but can't remember what it was, but it's amazing now It's very easy to download and access the password-store from any devices, I use it in window, linux and termux.
Funnily enough I never used `pass generate` once, even tough I have more than 3700 passwords. I always used the `pwgen` command, I don't know if there really is a big difference between the 2 (except pass generate being already in pass).
As for how to structure, here are some example of how I do it :
```
  <service>/email
  <service>/otp
  work/<service>/password
  homelab/<service>/username
```
They are all only one line except some backup codes which use multiline.
Then it's very easy to get the password or the otp, just bind `passmenu`, `passmenu-otp` in your window manager or directly use the command line for multiline stuff.

by arminiusreturns

0 subcomment

I recently did a deep dive on cli password management in an attempt to harden my bash scripts. (yes, I love bash, despite HN always loving to talk crap about it)
Pass is just a shell wrapper around gnupg, when you run pass some/secret/path, what actually happens is pass constructs and executes a gpg command (e.g., gpg --decrypt ~/.password-store/some/secret/path.gpg) and the output of gpg (the plaintext secret) is piped to pass's stdout.
Most people know this though. What I learned I didn't know before though was this:
Memory Zeroing: after it's used (e.g., copied to a pipe or stdout), GPG's internal memory management aims to zero out those memory regions used as soon as they are no longer needed
Memory Locking: GnuPG also uses mlock() (or equivalent OS-specific calls) to lock sensitive memory pages into RAM. This prevents the plaintext keys and decrypted data from being swapped out to disk, protecting against swap-file forensics or cold boot attacks.
I had been banging my head against bash trying to do those things manually, and ended up with the conclusion it was best to use pass/gpg with the following addendums (from my notes in my skeleton secure bash template):
1. Minimize secret lifetime: Use subshells, functions with local variables, and unset, disable bash history
2. Pipe secrets directly: Pass secrets via stdin or process substitution directly to the consuming program without intermediate variables if possible.
3. Rely on the tools: Use pass, gpg, or KMS CLIs that are themselves implemented in lower-level languages and can (and should) implement these memory protection techniques internally.
ps: keepassxc is the other favorite to use

by jwgarber

2 subcomments

Pass is great, but GPG keys are complicated and add a lot of extra overhead if you don't have one already. Frankly I cannot recommend anyone use GPG today for any purpose. I wrote a much simpler CLI password manager instead that meets explicit security models.
https://codeberg.org/jwgarber/napa/src/branch/main/database....

by wkat4242

0 subcomment

I love this one. I use it every day.
What i love in particular is the combination with OpenPGP keys on a yubikey. Because of this you have two factor and more importantly, you unlock each password individually. This way an attacker can't steal your entire database of passwords even if they have full control over your computer. They can only see the passwords you unlocked. Because each password requires a physical touch on the yubikey.
With some other community favourites like keepass and bitwarden, once your database is unlocked, all the data is open..

by bborud

1 subcomments

If only chip makers and computer manufacturers could agree on some useful common interface for managing keys so we could get more people to use these solutions.

by echo42null

2 subcomments

How would you build a dead man’s switch for pass? I’d like my family to be able to access my store if I disappear, but not before. The obvious problem: to re-encrypt for their keys I’d need my private GPG key running somewhere, which defeats the point. Has anyone solved this cleanly without leaving a hot key around?

by johntash

0 subcomment

Huh, I thought pass wasn't developed anymore for some reason. Glad to see it still is!
Related: https://github.com/gopasspw/gopass
I haven't used pass in a long time, but I used gopass for a while in a small team and it was pretty great.

by jiehong

0 subcomment

On MacOS, I tried using the Password App for passwords, but there is no cli to access it in scripts.
The keychain is accessible with a cli, but is not very nice to work with. Which is a bit sad, because being able to use touchid when running a script or signing commits would be nice.

by obk0943t

4 subcomments

There is still no just-download clients for pass on mobile which I think is why it's not a good option

by echo42null

2 subcomments

Best practice question for syncing pass across devices: Since exporting and re-importing the private key to a phone seems risky, is the recommended approach to generate a separate GPG key pair on the mobile device and re-encrypt secrets to it?

by awaymazdacx5

0 subcomment

I have twelve ISBNs that I encrypt for passwords.
Depending on which genre, managing key-rings has element of physical security to encrypt signatures in terminal and bash shell.
For full disk encryption, genfstab and /boot/grub/grub.cfg should contain sigs for partitions.

by rednafi

0 subcomment

GPG is a big detractor, at least for me. Working with the GPG agent is usually a subpar, if not outright confusing, experience. I’d happily take a version that uses ssh-agent instead to achieve the same.

by Kwpolska

2 subcomments

Pass might work if you really like terminals and only use computers with a Unix-like OS. But if you use a phone, or Windows, pass is just too clunky to use.

by commandersaki

1 subcomments

I love Jason Donenfeld’s work, but I don’t really see the point of pass compared to using an encrypted text file, the latter being far more ergonomic.

by marssaxman

0 subcomment

This is very similar to the way my own jury-rigged password manager works. I didn't know there was an existing tool.

by edoceo

0 subcomment

This is the wirgeuard dude. Jason is one of the GOATs

by andrewrn

3 subcomments

Growing tired of Bitwarden in the browser, so this is pretty intriguing. But its hard to forgo mobile compatibility.

by j7ake

0 subcomment

Combine pass with qtpass on osx and pass on iPhone and you’re golden

by nixpulvis

1 subcomments

I use pass a good amount, but I wish there were better OS/mobile integrations.

by rasengan

0 subcomment

Another great software contribution to the world by Jason Donenfeld, creator of WireGuard!

by unixdevbsd

0 subcomment

[dead]

by sgsjchs

4 subcomments

Why would you want to store arbitrary individual passwords instead of deriving them with on demand from the service name/domain and a common secret?