password management with pass and git

bigcoder

BigCoder

Posted on September 19, 2021

password management with pass and git

Pass is an open source Unix password manager, safe for personal and professional use.

It has a different user experience than existing password managers because it's a command line program.

It's basically a wrapper on GPG files which are stored in:

~/.password-store
Enter fullscreen mode Exit fullscreen mode

If you have multiple computers, you can sync with git.

But first, let's learn how to use pass. Setup gpg and pass.

How does it work?

First create a GPG key

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

Now you have a GPG key, make sure to back it up!

To show your keys:

gpg --list-secret-keys --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode

Example output, pick the right key

sec   4096R/3AC5C34371567BD2 2019-10-10
uid                          toto <toto@example.com>
ssb   4096R/42B317FD4BA89E7A 2019-10-10
Enter fullscreen mode Exit fullscreen mode

It's 3AC5C34371567BD2 here.

Install pass

# installation on Arch Linux
sudo pacman -S pass

# installation on Ubuntu
sudo apt install pass
Enter fullscreen mode Exit fullscreen mode

Then create a new password wallet (change to your gpg keys)

pass init 3AC5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

To add a password

pass insert twitter/user
Enter fullscreen mode Exit fullscreen mode

To generate a password of 16 characters

pass generate twitter/bob 16
Enter fullscreen mode Exit fullscreen mode

To show a password

pass get twitter/user
Enter fullscreen mode Exit fullscreen mode

To copy a password to clipboard

pass get -c twitter/user
Enter fullscreen mode Exit fullscreen mode

To list all passwords

pass list
Enter fullscreen mode Exit fullscreen mode

Example:

$ pass list               
Password Store
├── example
│   └── test
└── twitter
    └── test
Enter fullscreen mode Exit fullscreen mode

pass unix password manager

Weak passwords

It's important to choose strong passwords. That's because there are lists of millions passwords like rockyou.txt which can be used to brute force your Linux system using hydra.

Even a hashed password in /etc/shadow isn't necessary secure. Hashes can be cracked tools using tools like John the Ripper.

If you want to do hash cracking, there's a course here: John the Ripper.

strong passwords

How does it compare to Keepass and friends?

In terms of security the default config is not much stronger than Keepass.

Password managers typically store all passwords on the computer (internet connected device).

The bitcoin madness of last decade has shown that this was not the best idea (several people had private keys stolen).

In my opinion, it's not the most secure idea to store all your passwords on a general purpose computer (reduce attack surface). Especially when exploits for said software show up all the time.

So what's the solution?

You can setup Yubikey with pass and store the private keys on the key itself. This requires quite some setup time.

Alternatively, remember 500+ passwords in your head like me or cope.

💖 💪 🙅 🚩
bigcoder
BigCoder

Posted on September 19, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related