I've been frustrated with lastpass:

  1. browser plugin has unpredictable behavior
  2. chrome + Debian + lastpass = buggy and/or broken
  3. 1 year subscription ran out, I don't want to continue paying
  4. without sub, no more yubi key 2nd factor
  5. without sub, no more iPhone app

Enter pass, also known as "password-store", bills itself as the "Standard Unix Password Manager" and that's probably true. It integrates with git and GnuPG and uses the filesystem as its database. The program is open source and largely a shell script, which makes hacking on it easy. Also, the main developer and community are really active and friendly.

I have pass installed on two mac laptops, a Debian VM, and a Windows 7 desktop. They all sync with a password store git repository hosted on the VPS that this blog and my website are hosted from. One nice thing here is that even though the password store is synced to server on the wild internet, the private key needed to decrypt it are kept and controlled locally.

I've been using it actively for about a month (update going on 5 months now) and it works great so far. It is somewhat less convenient to install pass and my password store onto a new computer (especially Windows) than it was with lastpass, but that's not too big of a deal. On a windows machine I settled on using pass through Cygwin. The recent released versions of pass support Cygwin pretty well.

For me, the bottom line is that version control and the ability to control my own data, especially data as sensitive as a password store is, outweigh some slight inconveniences around user interface, setup, and maintenance.

Other thoughts, tips, and tricks:

  1. pass find performs a fuzzy match over the names of your password entries, handy for remembering what you called the entry for www.joeschilipowderemporium.com

  2. pass git pull and pass git push operate git from your password store git tree, no matter where you call it from. This is how I (manually) sync password stores with the hub.

  3. pass -c <myentry> copies the entry's password to your clipboard without displaying it. However, this doesn't work if you call it from inside tmux on Mac OSX (because of some pasteboard issue). I usually just call up a new terminal, grab the password I want to clipboard, then close the terminal.

  4. I could use my Yubi key in static mode to unlock the decryption key, but I haven't done this yet. I've looked for info on using an OTP to unlock a GPG key, but haven't found anything useful.


comments powered by Disqus