Pass: Unix Password Manager (passwordstore.org)
169 points by Bogdanp 9 hours ago
rendaw 3 hours ago
There's a ton of positivity here, but on the balance there are some significant issues with pass that I think bear mention:
- The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in.
- `pass generate` to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use `generate` to get a new password it'll wipe out your secret question answers.
- It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful and IIRC the command line tools were very hard to use for reviewing/restoring passwords when you mess up updates, etc.
- The name makes it nearly impossible to search for
I've been working on something similar... although with slightly larger scope (intended to be used within containers/sandboxes) https://github.com/andrewbaxter/passworth
maxmoehl 44 minutes ago
> It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful and IIRC the command line tools were very hard to use for reviewing/restoring passwords when you mess up updates, etc.
pass sets up a .gitattributes and configures git to convert gpg files to text via a custom driver. This enables a text-diff of the encrypted contents out of the box (at least for a store I've just set up to test this).
~/.password-store # cat .gitattributes
*.gpg diff=gpg
~/.password-store # cat .git/config
# ...
[diff "gpg"]
binary = true
textconv = gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agentstevekemp an hour ago
For the structure I "solved" that problem by creating folders with three main files:
Websites/foo.com/username
Websites/foo.com/password
Websites/foo.com/email
It's not perfect, and I do dislike the way that the metadata isn't encrypted, but on the whole I'm happy with the solution.
rendaw an hour ago
Yeah sure, but then are the conventions you came up with shared by all the tools in the ecosystem too (ex: browserpass)? Since the keystone (pass) declined to provide strong guidance, you end up with fragmentation and incompatibility.
stabbles 2 hours ago
> - The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in.
Fair, but you can use your own conventions.
> - `pass generate` to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use `generate` to get a new password it'll wipe out your secret question answers.
Just split it into `site/pass`, `site/secret-question`, etc. The fact that it's just using a directory tree is quite nice.
> It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted `git diff` won't give you anything useful
`git diff` would be an odd command to run on generated passwords even without encryption. What matters is that you know when the last change was for a password or site with `git log <file/dir>`, and you can just `git checkout -d <old commit sha>` if needed.
> - The name makes it nearly impossible to search for
in the terminal `$ pass` typically suggests the associated package.
eptcyka an hour ago
`pass git diff` decrypts the passwords for me.
mid-kid an hour ago
"pass generate" has a -i flag to only replace the password in a file (assumed to be the first line)
enkrs 5 hours ago
Browser password managers with passkeys are more convenient for me, but a pass vault can still be useful for recovery codes and API keys.
I used pass for a while but couldn’t see what threat model it actually solves:
If you let GPG agent cache your key, any script (e.g. an npm post-install) can just run `pass ls` or `pass my/secrets` and dump all your credentials. At that point it’s basically just full-disk encryption with extra steps—might as well keep everything in ~/passwords.txt.
If you don’t cache the key, you’re forced to type your long GPG password every single time you need a secret.
I tried a YubiKey for on-demand unlocking, but the integration is clunky and plugging it in constantly is a pain if you need passwords multiple times per hour.
I eventually switched to Bitwarden.
aborsy 4 hours ago
That’s true for any password manager. If the database/store is unlocked (so the master password is cached or available in RAM), all passwords can be extracted. You have to lock the password manager when you don’t need it.
In fact, with Bitwarden, the cached password is exposed to the browser that has a large attack surface (including interacting with random remote servers). There was just a vulnerability in most browser based password managers including Bitwarden that would allow a remote attacker trick a user send out their passwords.
I use Bitwarden but mostly for non-critical passwords.
charcircuit 2 hours ago
>That’s true for any password manager
Modern operating systems isolate individual apps such that a malicous app can not access the RAM of another app. There is a difference between not making an effort to protect passwords and requiring an OS exploit to do so.
codethief an hour ago
aborsy an hour ago
eptcyka an hour ago
You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key.
My main issue with pass is that it doesn’t work great on iOS with yubikeys.
puffybuf 3 hours ago
I store my passwords on an encrypted file partition sqlite database. My script grabs the pass and immediately closes the partition afterwards.
You can also just encrypt your passwords into individual encrypted files (one for each password) and have your script clear the gpg agent after a passfile is decrypted.
justusthane 5 hours ago
> a pass vault can still be useful for recovery codes and API keys
You might already be aware of this, but Bitwarden also has a CLI client that can be used for this purpose, at least casually.
ggiesen 4 hours ago
And can run a local webserver to expose an API (though they still need to tighten up security on it)
yehoshuapw an hour ago
it took a while to get it to work well, but I use yubikey here, and recommend it. I do need to find and pulg it in sometimes, but overall might leave it plugged in. and I have it configured to require a touch for every operation
komali2 3 hours ago
I can't remember how but pass for me works in brave browser and Firefox, as well as on mobile. It's my only password manager. I'm assuming some browser plugin.
drnick1 7 hours ago
This is interesting for CLI lovers, but I feel KeepassXC on desktop + KeepassDX on Android (with the password DB stored on my own machine and accessed remotely via Wireguard) is a better solution for normies.
mid-kid an hour ago
The only use case of mine that's not solved by keepass is creating passwords on two separate machines without a direct connection, and merging them later.
elevation 6 hours ago
Don't forget keepassxc.cli, which allows you to programmatically set and retrieve secrets. The interface is significantly more user friendly arcane. I used it when I needed to build an encrypted secrets bundle (so that one long password could temporarily unlock some API keys required for a disaster-recovery situation.) I was able to generate a single file plus a "Makefile" to unlock it and pass the keys into the appropriate environments.
I had attempted to use GNU `pass' first, but sadly, it requires me to manage gnupg, which is a well known minefield of poor default options, and assumes it should be integrated into your shell by storing things in your user profile directory (instead of using the directory relative to where you call it.) This jeopardized my copy-one-file workflow, so despite its ubiquity I had to abandon it.
laszlojamf 3 hours ago
"Normies"? Everything is relative, I guess. I use 1Password and just hope for the best.
usr1106 an hour ago
Right. Having an own machine 24/7 online and setting up wireguard to it does not sound very typical.
I use pass myself and I don't care about mobile. But I really don't know what to recommend family members.
bramgn 33 minutes ago
shikaan 3 hours ago
Shameless plug. I built a tool[1] to manage Keepass archives in the terminal which might scratch some of the itches I am reading here: it has a TUI, but can be piped into other commands too.
PhilipRoman 3 hours ago
FYI for desktop there is a "passmenu" script that you can bind to a key in your DE/WM.
hyperpl 6 hours ago
Any particular reason for remote access via wg and not via syncthing? I'm also curious how you access it via wg on Android?
drnick1 4 hours ago
I already use WG to access other services running on my LAN. The DB is on a Samba share, and I use KeePassDX as a client on my phone (GrapheneOS).
msravi 6 hours ago
There's also the pass-otp extension that generates OTPs!
https://github.com/tadfisher/pass-otp
The pass android app is really nice too
https://play.google.com/store/apps/details?id=dev.msfjarvis....
It also works in termux
Kwpolska an hour ago
> This app isn't available for your device because it was made for an older version of Android.
And no, those apps don't work great, because they involve some clunky GPG app.
bramgn 21 minutes ago
Agreed, GPG is not the most intuitive tool, but once you are familiar enough with it, it opens some doors.
For me termux and pass (from F-droid) have solved my password management for many years. I never have to struggle finding passwords. The security aspect of it is the least I care about, it's the convenience and simplicity of it.
Since the passwords are all just files on a disk inside a directory tree, you can use any old file system tools to find your passwords. Same for MFA. I store the base32 string inside pass and that's the end of it.
ninjin 4 hours ago
Thank you for sharing. My solution has been to dump small scripts like this in ~/bin:
#!/bin/sh
set -eu
k=$(pass ARG)
oathtool -b --totp "$k"lucb1e 6 hours ago
This is fun if you never leave yourself, but be wary with whom you share it. As a company password manager, there is no way to know who's accessed which secret across their lifetime at the firm so you get to change all the passwords constantly. (Or none, if you can't be bothered.) (Don't ask.)
Or if someone newly needs access, there's no standard way of re-encrypting the files you're guessing they need. You need to hack something together yourself
It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client
There is no way to ever erase anything you've accidentally pushed, short of rewriting the git history and breaking it for everyone (or for personal use: other client devices)
It looks nice and simple, and I like that I can interface with it with manual tools (e.g. write my own commit messages to have some idea of wtf is going on, e.g. when mass-reencrypting to not have 300 commits), but the simplicity is also the pitfall. Feels a bit similar to using hash(site_name+main_password) as a per-site password: beautiful in simplicity but various practical issues
Does anyone have good experiences with a password manager for a corporate environment? Ideally not having yet-another service to maintain, but also not have a server compromise equal business compromise (so end-to-end encryption between the users; verifying fingerprints or some such). From what I found so far, Bitwarden seems to meet that bill but I don't know if there are also others
ganomi 3 hours ago
I have no practical experience yet, but i evaluated the market for a password sharing solution for a team with similar requirements within an enterprise.
Another option in that area is https://www.passbolt.com/
It uses a public/private key approach, where the plain passwords never leave the local machine and shared passwords are re-encrypted with each users public key.
supriyo-biswas 6 hours ago
My current employer uses 1password and it has a couple of nifty features like "vaults" shared with a group of people, an "op run" command to inject secrets using a .env file, service accounts to fetch passwords in CI, etc.
conception 5 hours ago
It has dev environments now too! https://developer.1password.com/docs/environments/
ggiesen 4 hours ago
Bitwarden is pretty usable, we use it at our org, and while still has a rough edge or two for corporate use, gets better all the time.
62 6 hours ago
I agree
ragnot 8 hours ago
If you are using age instead of GPG for encryption purposes, I've found this to be useful: https://github.com/FiloSottile/passage
networked 3 hours ago
There are also other pass-like password managers that use age. The developer of one has made a comparison table: https://gitlab.com/retirement-home/seniorpw/-/tree/02dc02d1e.... (Disclosure: pago in the table is mine.)
echo42null an hour ago
Best practice question for syncing pass across devices: Since exporting and re-importing the private key to a phone seems risky, is the recommended approach to generate a separate GPG key pair on the mobile device and re-encrypt secrets to it?
WD-42 6 hours ago
Pass is still amazing after all these years. Shameless self plug: I wrote a gnome search provider for it so you can lookup passwords from the overview. Supports OTP as well. https://github.com/Fingel/ripasso-gnome-search-provider
hyperpl 7 hours ago
I used pass for many years and loved it. I sync'd my password store between 3+ devices including my Android phone using a git remote. I don't recall the exact reason - maybe the pass android client I had used for years went away? I decided to find the next best option and settled on keepassxc and KeePassDX. The backing store is a binary blob but it does surprisingly well via syncthing: autoupdate works and in the event of a conflict the db merge feature hasn't yet failed me.
Granted on the desktop I find using a (qt especially) GUI more invasive than a terminal but at least on the Android side the app is quite good.
dclaw 5 hours ago
Happy pass user for ~8 years now, have ~1300 passwords stored. No issues whatsoever. Use git to sync it across devices, totally awesome.
porridgeraisin 4 hours ago
How do you have 1300 passwords? Sounds like a lot. Come to think of it though, I have no idea how many I have.
bartvk 2 hours ago
I checked, also just over a thousand. So it seems normal, in the same order.
aborsy 5 hours ago
I have heavily used Pass over the years. Here are some of its pros (an update to my comment several years ago):
* Your secret key can be stored in Yubikey, handled by a dedicated OpenPGP agent. This allows deriving a strong key from a weak one. Your password is basically a short PIN with max 3 tries. Every password retrieval can require a physical touch. This is convenient and secure!
Pass makes sense if you use it with a hardware key, with touch enabled. With this setup, it’s hard to beat its security.
* It uses public key cryptography, and comes with its advantages. You don’t need your master password to add/encrypt passwords. You only need that for decryption. Less exposure of master key, and more convenience.
For that reason, it’s well suited to share passwords with other people or devices. You can encrypt to multiple public keys. This adds multi user and device support.
You can easily add a backup offline public key (which you may print) if you lose your Yubikey.
* You can decrypt a single password without decrypting and exposing other passwords. The passwords are isolated, if you use Yubikey.
* Searching passwords is quick and transparent. You easily see what is in your store.
* You can use it programmatically, eg, your backup script can grab a password from the store.
* It’s a short bash script that you can verify, and delegates encryption to a dedicated well-audited cryptographic tool.
* PGP is a standard, and GPG and git are widely available. There is no database to break or migrate. You can read your passwords anywhere and in the future.
* The script is written by the creator of the acclaimed Wireguard!
There are also cons.
* Some people don’t like that it leaks metadata (filenames, and password tree), though there are versions of pass that fix it.
* Lately gpg is causing some troubles with Debian Trixie. GPG agent frequently locks the Yubikey and requires restarting pcscd (probably due to conflicts with pcscd). There is a similar tool Passage using Age, maybe that solves it.
* There are mobile apps, but they are not as frequently updated as something like Bitwarden apps (which has client for every OS, and frequently fixes bugs and adds functionality).
* I haven’t used and not sure how good browser support is.
Here is a post on a similar password management with GPG replaced with Age
hazek112 5 hours ago
Any recs for yubikey setup guides with pass?
aborsy 5 hours ago
Nothing specific to pass. It’s just Yubikey setup with GPG; that’s part of the appeal!
https://github.com/drduh/YubiKey-Guide
This guide covers many adjacent topics; the relevant part is generating the secret key inside Yubikey, or in an airgapped system and doing “key-to-card” in gpg.
echo42null an hour ago
How would you build a dead man’s switch for pass? I’d like my family to be able to access my store if I disappear, but not before. The obvious problem: to re-encrypt for their keys I’d need my private GPG key running somewhere, which defeats the point. Has anyone solved this cleanly without leaving a hot key around?
arccy 39 minutes ago
key sharding with a trusted third party? computer systems can't know of your death, or even true time, so you have to trust something like a company holding the secrets for you, or your lawyer...
mjd 7 hours ago
I've been doing basically this for many years now.
Each password file is AES-encrypted with my master password.
I copy the whole vault around between machines with rsync.
When I run 'password bank' a shell script searches ~/private/Passwords for files that contain ‘bank’ and offers a menu, then gpg-decrypts the file I selected.
I also use this for scans of my passport, recording my bank account numbers, and anything else I want to keep around.
I thought I was the only one, and now I've found out there are thousands of us!
commandersaki an hour ago
I love Jason Donenfeld’s work, but I don’t really see the point of pass compared to using an encrypted text file, the latter being far more ergonomic.
tlamponi 6 hours ago
I like pass and use it a lot, especially as it provides a good and safe backup for the case my vaultwarden instance goes up in smokes.
There is also a drop-in replacement with has some extra features and a bit better UX in some parts, personally I only really use it for the better support for handling multiple GPG keys, as I got some physical backup keys and it can be also nice teams for a shared vault.
johntash 2 hours ago
Huh, I thought pass wasn't developed anymore for some reason. Glad to see it still is!
Related: https://github.com/gopasspw/gopass
I haven't used pass in a long time, but I used gopass for a while in a small team and it was pretty great.
Kwpolska an hour ago
Pass might work if you really like terminals and only use computers with a Unix-like OS. But if you use a phone, or Windows, pass is just too clunky to use.
johannes1234321 an hour ago
The android "Password Store" app is okay'ish, integrates with accessibility API to offer auto fill in many apps.
realusername an hour ago
I'm using pass on a phone with Termux.
Sure it's a bit clunky but it's been working since 2014 without any interrution or privacy leak. I can't say the same about most password manager.
jwgarber 6 hours ago
Pass is great, but GPG keys are complicated and add a lot of extra overhead if you don't have one already. Frankly I cannot recommend anyone use GPG today for any purpose. I wrote a much simpler CLI password manager instead that meets explicit security models.
https://codeberg.org/jwgarber/napa/src/branch/main/database....
mongol 3 hours ago
This is interesting. But does this program have some model or approach for using it in several devices? Is the database syncable in some way, or would you need to remote in to the master location to run it?
awaymazdacx5 7 hours ago
I have twelve ISBNs that I encrypt for passwords.
Depending on which genre, managing key-rings has element of physical security to encrypt signatures in terminal and bash shell.
For full disk encryption, genfstab and /boot/grub/grub.cfg should contain sigs for partitions.
edoceo 6 hours ago
This is the wirgeuard dude. Jason is one of the GOATs
andrewrn 7 hours ago
Growing tired of Bitwarden in the browser, so this is pretty intriguing. But its hard to forgo mobile compatibility.
Kwpolska an hour ago
Try KeePassXC on desktop, KeePass2Android on mobile (there's something on iOS too).
There are some pass apps for Android, but they're a pain to use.
lytedev 5 hours ago
Bitwarden has a desktop GUI app as well as an official CLI. If you're comfortable with it, there are also community ones like https://github.com/doy/rbw
acaloiar 6 hours ago
No need to forego mobile if you're on iOS [1].
1. https://apps.apple.com/us/app/pass-password-store/id12058205...
nixpulvis 6 hours ago
This app wasn't working for me last time I tried it. Granted that was a few years ago.
cl3misch 3 hours ago
andrewrn 6 hours ago
Holy shit... this is dope as hell. Thank you
obk0943t 7 hours ago
There is still no just-download clients for pass on mobile which I think is why it's not a good option
notpushkin 7 hours ago
There’s one for Android, though it has been looking for a new maintainer for a while now: https://github.com/android-password-store/Android-Password-S...
Edit: looks like there’s a community fork now! https://github.com/agrahn/Android-Password-Store
tretiy3 3 hours ago
Life saver! New version lacks OpenKeychain integration (they discuss in issues that it is also no longer maintained). Abandoned version of Android Password Store had some issues with embedded PGP manager and was not working for me. But this fork works!
cramsession 7 hours ago
I ssh in from my phone, which works pretty well.
bharrison 7 hours ago
Same
mattacular 5 hours ago
there is for iOS - passforios - https://apps.apple.com/us/app/pass-password-store/id12058205...
works great.
braincat31415 7 hours ago
I use it inside termux on android. There is a termux pass package. But it might be hard to input a complex decryption password on the phone keyboard.
nixpulvis 6 hours ago
I use pass a good amount, but I wish there were better OS/mobile integrations.
wfleming 6 hours ago
What kind of mobile functionality were you looking for? The (unofficial) iOS app is pretty good IMHO and integrates with iOS’s OS-level password filling, and also supports the pass-otp plugin’s format for 2fa codes if you use that plugin. There was a decent Android client I used a while back as well, though I don’t recall the name.
[1]: https://apps.apple.com/us/app/pass-password-store/id12058205...
avh02 6 hours ago
Not the parent, but dwindling yubikey support (for gpg key storage) is an issue, had to pull out a legacy version on Android for it to keep working (they changed the underlying crypto library and lost the support there)
No ipad version I've found supports yubikey either
rasengan 7 hours ago
Another great software contribution to the world by Jason Donenfeld, creator of WireGuard!
sgsjchs 7 hours ago
Why would you want to store arbitrary individual passwords instead of deriving them with on demand from the service name/domain and a common secret?
snailmailman 7 hours ago
If you are doing that,
- what if some site has weird password requirements and the derived password doesn’t work
- what if a site gets hacked and you need to rotate one password.
If you have to store data per-site anyway because of those cases, may as well just store passwords. You can (and should) still generate extremely high entropy passwords.
merlincorey 7 hours ago
Additionally, you can store other data for example one could have scans of important documents that are stored in Pass which means they are GPG encrypted and backed by a git repository so they are versioned and shared across multiple machines.
lucb1e 7 hours ago
indeed. Additionally:
- if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about
- there's no way to know what you've entered before, since it's stateless. With data stored in a manager, I know what username I used and can associate other data. If your uniqueifying input is the domain, and let's say HN would become hn.yc or whatever and you visit it again in ten years, you'd have to remember that hn.yc accepts the password of what you entered as news.ycombinator.com
I have to admit though, hash(name+secret)=password is so simple and beautiful that it draws IT people like a fine artwork draws visitors. But for me, that doesn't outweigh the practical issues
akerl_ 7 hours ago
Because the former works with any site and circumstance and the latter does not.
gmuslera 7 hours ago
Not all sites are safe, either by design or by people running them. Having a common secret+service name as password AND having at least one of those sites leaking your plaintext password could mean that your derivation may go public and all your other passwords and services fall because of that.
listeria 6 hours ago
presumably the derivation would involve a cryptographically secure, non-reversible function so as to not compromise the secret should one of them be leaked.
jibal 3 hours ago
"deriving them" != op<+>