Managing passwords the open source way

No readers like this yet.
code editors
Image by:

Opensource.com

At this point, I have more usernames and passwords to juggle than any person should ever have to deal with. I know I'm not alone, either. We have a surfeit of passwords to manage, and we need a good way to manage them so we have easy access without doing something silly like writing them down where others might find them. Being a fan of simple apps, I prefer using pass, a command line password manager.

It's never been a good idea to use the same username and password with multiple services. But in today's world? It's potentially disasterous. So I don't. At the moment, I'm juggling something like 90 to 100 passwords for all of the services I use. Multiple Twitter accounts, my server credentials, OpenShift applications, my FAS credentials, sign-in for Rdio, and lots more.

As you might imagine, trying to memorize all of those passwords is an exercise in futility. I remember my system password, and a handful of others. Beyond that? I'd rather save some of my brain's limited storage for more important things.

What's pass, and what's it require?

So what is pass? It's basically a simple command-line utility that helps you manage passwords. It uses GnuPG-encrypted files to save and manage user passwords. It will even keep them in a git repository, if you choose to set it up that way. That means you'll need the pass package installed, along with its dependencies like git, gnupg2, and pwgen (a utility for generating passwords).

Yes, there are other options, but I settled on pass a while back as the best fit for my needs. Here's how you can give it a shot and see if it works for you!

Installation and setup

Installing pass is simple. It's conveniently packaged for Fedora. Just open a terminal and run:

yum install -y pass

and it should grab all the dependencies you need.

The first thing you need to do is create a GPG Key. See the Fedora wiki for detailed instructions, or just use:

gpg --gen-key

and walk through the series of prompts. When in doubt, accept the defaults. Now, you just need to initialize your password store with:

pass init GPG-ID

Replace "GPG-ID" with the email address you used for your GPG key.

Adding and creating passwords

Now that you have a password store set up, it's time to start creating or inserting passwords. If you already have a password you want to store, use:

pass edit passwordname

For example, if you were going to store your Fedora Account System (FAS) password, you might use:

pass edit FAS/user

with "user" being your username in FAS.

This will create a directory (FAS) and the file (user) in Git, and encrypt the file so that no one can read it without your GPG passphrase. If you look under ~/.password-store/FAS/ you'll see a file like user.gpg. The directory part is optional, but I find it useful to help keep track of passwords.

If you want to create a new password, just use:

pass generate FAS/user 12

where "FAS/user" would be the username, and the password length (generated by pwgen) would be 12 characters. The auto-generated passwords will include upper- and lower-case letters, numbers, and special characters.

Creating a git repository

One of the biggest selling points to me for pass is its integration with git. But it's not automatic; you do need to tell it to initialize the git repo and use it. First, make sure you've set your git globals:


git config --global user.email "your@email.com" 
git config --global user.name "Awesome User"

Then run:

pass git init

and it will intialize a git repository in your password store. From then on, it will automatically add new passwords and such to the git repo. If you want to manage passwords on multiple machines, this makes it dead easy: Just clone the repository elsewhere and keep them in sync as you would a normal git repo.

Reading passwords

To recall a password, all you need to do is run pass user, so pass FAS/user would print out the password to the terminal. But what if you don't want it to be seen by someone looking over your shoulder?

Here's a nifty workaround for that. Just use:

pass -c FAS/user

and it will simply copy your password to the clipboard for 45 seconds. All you have to do is run the command, move over to the application where you'd like to enter your password, and then hit Enter.

If you've forgotten what passwords you have stored with pass, just use pass ls and you'll get a complete listing.

Deleting passwords

Sometimes you need to get rid of a password. Just use:

pass rm user

and pass will ask if you're sure, then delete the password file.

If you delete something by accident, you can simply go back and revert the commit!

Stay safe

So that's the basics of using pass. You can get even more examples by running:

man pass

and I highly recommend skimming the man page at least once.

I have been using pass for some time now, and it's been a life-saver. I hope it serves you as well as it has me!

Originally published in Fedora Magazine. Reposted here via Creative Commons.

Tags
Leadership and management
Security and privacy
Fedora Magazine
User profile image.
Fedora Magazine is an online publication for the Fedora community.
More about me

7 Comments

Avatar
sbicknel | July 3, 2014
No readers like this yet.

If someone gets access to your machine, they can run the pass program or whatever other password manager is installed on the system and steal all of your usernames and passwords; it doesn’t matter if they are encrypted. As far as the operating system is concerned, a program running as you is you, and with a convenient key also located in your user account it will gleefully unlock and display your passwords to any impostor using your account. Encryption used this way gives a false sense of security. If they can get to your encrypted password files, they can get to your encryption key files, too. What’s the point of trying to obfuscate the information like this when the key to unlocking it is sitting next to the lock?

Avatar
Bryan Behrenshausen | July 3, 2014
No readers like this yet.

The author does not mention whether a passphrase is necessary for unlocking pass' password list. If this is the case, wouldn't an attacker need the passphrase to do what you're suggesting? You should try it and let us know!

Avatar
Greg Land | July 8, 2014
No readers like this yet.

That's what the passphrase is for. Like ssh-key, gpg needs a passphrase that you actually have to type in to be secure. And if you use an agent for storing the passphrase in a session, someone would have to break into your session, not just your account, to gain unrestricted access. Even with TFA and a physical key (e.g. CAC), if someone gains all the keys and passphrases...well, your pwned. IMO, this is a far sight better than 'vi -x passwords', or worse, 'vi passwords'. Do you have a better idea?

Avatar
Oliver | July 3, 2014
No readers like this yet.

Is there an Android or iOS app to access the passwords stored by pass? Any synchronisation with other computers or mobile devices? I need my passwords on my Linux PC at work, on my Linux notebook at home, on my Android smartphone, on my tablet ... imho a local password storage is completely senseless nowadays.

Avatar
Lordon Giddy | July 3, 2014
No readers like this yet.

There is a better article on how pass works and how to use it at

liquidat.wordpress.com/2013/03/27/pass-a-perfect-shell-based-password-manager/

Personally I would recommend Figaro's Password Manager which comes with a GUI and can be secured with both a passphrase and a key file which are independent of each other. Obviously the key file could reside on external media (CD, USB key, etc.which could use an encrypted file system) rather than on the internal hard disk for even greater security.

Avatar
nico | July 7, 2014
No readers like this yet.

If you're using this with Gnome3 you may want to do:

gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'
gsettings set org.gnome.crypto.cache gpg-cache-ttl 60

So that the GPG password will be asked every time you call pass (actually, it will be stored for 60 seconds with the commands above, which may be practical in certain situations, but you can set the delay to 0).

Related Content

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.