Why I use pass (and you might want to, too)

pass is great. I started using it as my password manager about a year ago, and since I'll refer to it in future blog posts, I wanted to make clear why and how I use it.

What's it do?

Although the pass devs show a fair bit of arrogance in calling pass "the standard unix password manager", at least the "unix password manager" part is correct – pass feels decidedly unix-y. This is mostly due to the clean CLI interface, and the fact that it uses established utilities (mostly GPG, and a bit of git) to do its work.

The usage is simple and better explained elsewhere:

pass init  # Start a new store
pass git init  # Add git support
pass git remote add origin <repo>  # Add a repo to auto-push changes to

pass  # List available passwords
pass <path>  # Show contents of <path>, with full tab completion
pass -c <path>  # Copy contents to clipboard for 45 seconds (by default)
pass edit <path>  # Open <path> with $EDITOR
pass generate <path>  # Password generation is inbuilt, as well

But why is it great?

Well, apart from

  • easy handling
  • plugins for Firefox and Chrome
  • an Android and iOS app
  • the really smooth git integration,
  • the dmenu-style passmenu (start it with -c to directly copy to your clipboard),
  • an unholy amount of migration scripts,
  • the fact that it runs locally instead of on other people's servers,
  • and the very active community,

… what really attracted me to pass was that it was just a convenience script around well-known tools, meaning that I can decrypt my password files even without pass by invoking gpg directly (not that it is nearly as fun, though). The ease of invocation also makes pass an easy target for password manager integrations with other tools (as shall be shown in another post later on).

Where lies the rub?

Wellll, since pass stores everything as an encrypted text file in plain on your file system, you're exposing valuable information – that is, folder and file names, comparable to subjects in GPG emails. To me, this is acceptable because my drive is encrypted, and with paths such as Accounts/GitHub, I'm not exposing valuable information. If this bothers you (as it probably should!), consider using the extension pass-tomb which stores all data in a tomb created and encrypted by the same key pass uses.

Use it!

If you're mostly a command line person, and simple CLI interfaces with git integration sound good to you, and you do not have a password manager yet … pass is for you. If it is not … please use any other password manager with reasonable security that does not keep your passwords on other people's servers.