Why I use pass (and you might want to, too)
pass
is great. I started using it as my password manager about a year ago, and since I'll refer to it in future blog posts, I wanted to make clear why and how I use it.
What's it do?
Although the pass
devs show a fair bit of arrogance in calling pass
"the standard unix password manager", at least the "unix password manager" part is correct – pass
feels decidedly unix-y. This is mostly due to the clean CLI interface, and the fact that it uses established utilities (mostly GPG, and a bit of git) to do its work.
The usage is simple and better explained elsewhere:
pass init # Start a new store pass git init # Add git support pass git remote add origin <repo> # Add a repo to auto-push changes to pass # List available passwords pass <path> # Show contents of <path>, with full tab completion pass -c <path> # Copy contents to clipboard for 45 seconds (by default) pass edit <path> # Open <path> with $EDITOR pass generate <path> # Password generation is inbuilt, as well
But why is it great?
Well, apart from
- easy handling
- plugins for Firefox and Chrome
- an Android and iOS app
- the really smooth git integration,
- the dmenu-style
passmenu
(start it with -c to directly copy to your clipboard), - an unholy amount of migration scripts,
- the fact that it runs locally instead of on other people's servers,
- and the very active community,
… what really attracted me to pass
was that it was just a convenience script around well-known tools, meaning that I can decrypt my password files even without pass
by invoking gpg
directly (not that it is nearly as fun, though). The ease of invocation also makes pass an easy target for password manager integrations with other tools (as shall be shown in another post later on).
Where lies the rub?
Wellll, since pass
stores everything as an encrypted text file in plain on your file system, you're exposing valuable information – that is, folder and file names, comparable to subjects in GPG emails. To me, this is acceptable because my drive is encrypted, and with paths such as Accounts/GitHub
, I'm not exposing valuable information. If this bothers you (as it probably should!), consider using the extension pass-tomb which stores all data in a tomb created and encrypted by the same key pass uses.
Use it!
If you're mostly a command line person, and simple CLI interfaces with git integration sound good to you, and you do not have a password manager yet … pass
is for you. If it is not … please use any other password manager with reasonable security that does not keep your passwords on other people's servers.