basalt
pass-import
basalt | pass-import | |
---|---|---|
2 | 410 | |
68 | 799 | |
- | - | |
5.1 | 8.0 | |
8 months ago | 3 months ago | |
Shell | Python | |
Mozilla Public License 2.0 | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
basalt
pass-import
-
Ask HN: How do you share and sync .env files and secrets with your team
I moved to the `pass` ecosystem years ago and never looked back:
https://www.passwordstore.org/
- Ask HN: How To: Store and share passwords in a company?
- Show HN: Ward – a file vault written in bash
-
Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers
I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem).
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).
- Forget LastPass: Apple unveils 'Passwords' manager app at WWDC 2024
-
macOS Sonoma silently enabled iCloud Keychain despite my precautions
I fully agree.
> thinking people can run their own crypto better than they can
Running or developing ?
You can probably run something like Password Store [1] fairly secure, though you still have to trust the operating system not to leak your secrets, and it turns out that today, regardless of your choice, all major operating systems more or less synchronize your data to the cloud.
I know Linux doesn't do it (Ubuntu tried some Amazon partnership once), but Linux is a poor match for many workplaces where Windows or MacOS are kings. Yes, you can run VSCode (or Vim/Emacs or whatever) on Linux, but running Photoshop, Fusion365 or various other business tools is not as "easy" as on Windows/MacOS, and in the end a company only has so many IT support staffers.
[1]: https://www.passwordstore.org/
- End of Life for Twilio Authy Desktop App
-
I Know What Your Password Was Last Summer
> I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.
Maybe they don't want to be relying on a random third-party for all their passwords?
Rather than getting them to sign up for a password manager, what about getting them to install a password manager? I use https://www.passwordstore.org/ - it encrypts your passwords with GPG, and shares the storage via a Git repository for synchronisation between different machines.
-
Command Line Interface Guidelines
That way you can delegate the password handling to another program, e.g. a password manager like pass(1) (https://www.passwordstore.org/) or some interactive graphical prompt.
-
Passit: Open-Source Password Manager
I want to move to something compatible with https://www.passwordstore.org/ - an open standard for keeping your passwords in a folder encrypted with OpenPGP.
The problem is that I'm nervous to give an unknown Android app and browser plugin total control of my passwords and access to my github account when I don't have time to review it's code properly. I have a bit more trust ing the command line tools, but I'd like to be sure that more people are looking at the code before I trust my life to it.
What are some alternatives?
cloudflare-nginx-dns-sh-scripts - Bash scripts to create nginx sites proxied by Cloudflare
gopass - The slightly more awesome standard unix password manager for teams
mycmd - Tool for writing and running commands from a command directory
vaultwarden - Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
nsd - NGS Scripts Dumpster
Bitwarden - Bitwarden infrastructure/backend (API, database, Docker, etc).
bash2048 - 2048 in bash
rofi-pass - rofi frontend for pass
scripts.sh - Handy Shell Scripts
Pass4Win - Windows version of Pass (http://www.passwordstore.org/)
lsofer - script to match similar functionality to lsof -i, and then some.
KeeWeb - Free cross-platform password manager compatible with KeePass