Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
pass-code
A pass extension that obscures the filenames and folder hierarchy within your password store.
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
passage
Discontinued An independent reimplementation of password-store, using `age` rather than PGP. NOTE: This isn't the passage project based on password-store. Use that; I don't really maintain this right now. https://github.com/FiloSottile/passage (by somasis)
-
dotfiles
My personal monorepo: dotfiles, /etc-files, single-file scripts, vim plugins, webexts/userscripts, xmonad config, all that stuff… (by liskin)
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
I've been using pass for several years now and I recommend it to my friends, but I usually get weird looks when I say I store my passwords in a git repo (it's not as bad as it sounds!). Here's why:
- I host my git repo on my desktop computer (through SSH), so it's not exposed anywhere except if you have SSH access to my computer. (A lot of people seem to think git = GitHub which is not true).
- The passwords are GPG encrypted so even if it were leaked that would be okay as long as my secret key remains secure.
As far as usability goes, I usually use the -c option to copy/paste my passwords. I used a browser extension for awhile, but I haven't gotten around to reinstalling since the copy/paste works fine for me. Syncing with my phone and Linux devices works perfectly (since it's just git).
The Windows client seems to be no longer maintained [1], so I would like better support here for my Surface. But this is still okay since I can SSH to my desktop computer from Windows and copy/paste the passwords from there.
I don't use pass myself (I have severe NIH[1]), but its design has inspired me many times over: very, very few tools rise to the challenge of adhering to the Unix philosophy without cargo-culting it, and pass is one of them. I highly recommend that people looking to write engineer-friendly tools study its manpage[2].
The Password Store app delegates key management to another app. I use OpenKeychain [1] for this. I believe OpenKeychain supports Yubikeys, but I haven't used that feature myself so I can't speak about how well it works.
I love the simplicity of Pass, but I wanted just a few more features, like being able to store (and retrieve) extra data easily. Unstructured data below the initial password wasn't really enough for me.
I ended up taking huge inspiration from Pass, but writing my own implementation[1] with a few more features that increased it's usefulness for my use cases.
I posted it a while ago on here[2] and Reddit[3], but it basically stores each entry as a Bash script, which gives it so much flexibility: auto-typing, references, multiple fields, executable functions, etc. I also wrote a blog post on it[4].
I'd be interested to hear what people think of if if anyone did/does end up giving it a go.
I've developed `prs` as `pass` alternative with many annoyances fixed for daily use. It provides automatic syncing between multiple devices through git, supports multiple keys and many other things. It simply uses your existing `pass` store.
Some might find it useful: https://github.com/timvisee/prs
There's the pass-code extension for that:
https://github.com/alpernebbi/pass-code
> A pass extension that obscures the filenames and folder hierarchy within your password store.
> pass-code generates random filenames for each file in the password store and keeps the mapping in an encrypted file. This way, no valuable information is accessible even if your password store is leaked to the public (unless your GPG private keys were also leaked). Nevertheless, you should always ensure proper protection of your password store.
I wrote a pass equivalent for KeePass for this very reason [0]. KeePass doesn't leak any metadata because everything is contained in a single file.
I'm thinking about adding encrypted file support to my pass wrapper, p, but I've not really found a good argument to support breaking mobile apps (such as https://github.com/android-password-store/Android-Password-S...).
You'd have to manually look up the entries in a lookup table to resolve obfuscated names back to readable names... Or upstream support for whatever format is devised. I dunno.
I'm thinking about adding encrypted file support to my pass wrapper, p, but I've not really found a good argument to support breaking mobile apps (such as https://github.com/android-password-store/Android-Password-S...).
You'd have to manually look up the entries in a lookup table to resolve obfuscated names back to readable names... Or upstream support for whatever format is devised. I dunno.
[1]: https://github.com/DDoSolitary/OkcAgent
Simple password decrypt: okc-gpg -d ~/.password-store/mypass.gpg
I made a termux shortcut (button on homescreen) to emulate pass-dmenu via this ( store in ~/.shortcuts):
#!/data/data/com.termux/files/usr/bin/env bash
> Integrity - Ensure that only authorized parties are allowed to modify data. gopass makes no attempt at protecting the integrity of a store. However, we plan to do this in the future.
https://github.com/gopasspw/gopass/blob/master/docs/security...
> It’s secure, because it’s a short bash script
There is also POSIX sh implementation available that is even shorter: https://github.com/dylanaraps/pash
We made an extension for encpass.sh that stores secrets in Keybase (https://github.com/plyint/encpass.sh/blob/master/extensions/...) if that sort of thing is of interest to you. Outside of personal secrets, it can be used as a sort of low cost stand in for shared secrets that you might use something like Vault for in a team environment.
I use it for 2FA (via https://github.com/tadfisher/pass-otp ) on my OpenMoko (QtMoko). I installed it via apt-get from the normal Debian repos.
I’ve been using Pass for years, and love it.
Question for HN... is there a project that anyone knows of, that is using Age instead of GPG as the encryption for Pass? I’ve seen a few implementations of it, but nothing I’d use for a daily driver yet.
Example, not my project - https://github.com/somasis/passage
* pre-selection of entries by looking at URL and focused form field
So in most cases I press a keybinding which invokes passmenu, and then just press enter as the correct entry and field (password/username) is already selected. Quite handy.
Source here if anyone's interested: https://github.com/liskin/dotfiles/blob/home/bin/passmenu and https://github.com/liskin/dotfiles/blob/home/bin/.passlib