As security breaches are discovered regularly, and so leakage happens, it is recommended to have a different password on each account.
However, this task is obviously a pain to maintain by hand. I did use a notebook back in 2003, which I lost within a month, given that I'm a very organized person.
I'm not here to compare them, if you want to give a look, [Wikipedia](https://en.wikipedia.org) provides a nice comparison table [**there**](https://en.wikipedia.org/wiki/List_of_password_managers).
However, thanks to [moviuro](https://try.popho.be), my choice is [pass](https://www.passwordstore.org/) along with [pass-otp](https://github.com/tadfisher/pass-otp#readme) (and [passmenu](https://git.zx2c4.com/password-store/tree/contrib/dmenu)).
I don't intend either to make a comprehensive guide, as those already populate the internet, for example [**here**](https://medium.com/@chasinglogic/the-definitive-guide-to-password-store-c337a8f023a1).
To make it short, pass is a bash scripts using [git](https://git-scm.com/), [gpg](https://www.gnupg.org/) written by [zx2c4](https://www.zx2c4.com/).
To regenerate a password, the `-i` is important to avoid overwriting the whole file and having to rely on [dirty git]({filename}/cheat-sheets/git.md) to withdraw your mistake (`pass <cmd>` will automatically commit your change)… I sometimes forget it, so let's put it here as a reminder.
Sometimes it can be useful to specify the accepted special chars, this can be done using the `PASSWORD_STORE_CHARACTER_SET` environment variable.
This value is interpreted by the [`tr` command](https://en.wikipedia.org/wiki/Tr_(Unix)),
hence to create a PIN, you can use the following value: `PASSWORD_STORE_CHARACTER_SET='[:digit:]'`, then specify the length with the last argument.
I didn’t manage to specify how to have at least one of them, so I run the command multiple times (with the `-i` option to change the file in place after the first one)…
It pollutes a bit the git history but, well… it works.
For instance, for a service supporting only the following characters: `-_@$<>` of at most 20 char long (fictive example), you can use the following command:
If for some reasons you want to rotate your keys, you can rerun the `pass init` command by indicating the new gpg ID (or multiple keys to have it available under multiple devices that don’t share the same key to limit the risks of key leakage).
Note that you can also have a subfolder encrypted under a specific key (it can be specified using the `-p/--path=` option for `pass init`) if you want to share it to some other devices, or to separate work from personal passwords.
It should be possible to use [`git submodule`](https://git-scm.com/book/en/v2/Git-Tools-Submodules) as well, but I didn’t try.