blog/content/software/pass.md

64 lines
3.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
Title: Manage your passwords with pass
Date: 2019-04-22 19:00
Modified: 2024-02-24 18:00
Author: Fabrice
Category: software
Tags: pass, git, cli
Slug: password-store
Header_Cover: images/covers/clovers.jpg
Summary: A simple password manager that relies on gpg, and synchronized with git.
Lang: en
---
As security breaches are discovered regularly, and so leakage happens, it is recommended to have a different password on each account.
However, this task is obviously a pain to maintain by hand. I did use a notebook back in 2003, which I lost within a month, given that I'm a very organized person.
Hopefully, many password managers exist, with similar features: cross-platform (especially smartphone support), password generation, browser integration…
I'm not here to compare them, if you want to give a look, [Wikipedia](https://en.wikipedia.org) provides a nice comparison table [**there**](https://en.wikipedia.org/wiki/List_of_password_managers).
However, thanks to [moviuro](https://try.popho.be), my choice is [pass](https://www.passwordstore.org/) along with [pass-otp](https://github.com/tadfisher/pass-otp#readme) (and [passmenu](https://git.zx2c4.com/password-store/tree/contrib/dmenu)).
I don't intend either to make a comprehensive guide, as those already populate the internet, for example [**here**](https://medium.com/@chasinglogic/the-definitive-guide-to-password-store-c337a8f023a1).
To make it short, pass is a bash scripts using [git](https://git-scm.com/), [gpg](https://www.gnupg.org/) written by [zx2c4](https://www.zx2c4.com/).
Here are just some commands I often use.
```sh
pass generate -i <pass-name>
```
To regenerate a password, the `-i` is important to avoid overwriting the whole file and having to rely on [dirty git]({filename}/cheat-sheets/git.md) to withdraw your mistake (`pass <cmd>` will automatically commit your change)… I sometimes forget it, so let's put it here as a reminder.
Sometimes it can be useful to specify the accepted special chars, this can be done using the `PASSWORD_STORE_CHARACTER_SET` environment variable.
This value is interpreted by the [`tr` command](https://en.wikipedia.org/wiki/Tr_(Unix)),
hence to create a PIN, you can use the following value: `PASSWORD_STORE_CHARACTER_SET='[:digit:]'`, then specify the length with the last argument.
For instance, to generate a 6 digit PIN:
```sh
PASSWORD_STORE_CHARACTER_SET='[:digit:]' pass generate <pass-name> 6
```
I didnt manage to specify how to have at least one of them, so I run the command multiple times (with the `-i` option to change the file in place after the first one)…
It pollutes a bit the git history but, well… it works.
For instance, for a service supporting only the following characters: `-_@$<>` of at most 20 char long (fictive example), you can use the following command:
```sh
PASSWORD_STORE_CHARACTER_SET='[:alnum:]-_@$<>' pass generate <pass-name> 20
```
If for some reasons you want to rotate your keys, you can rerun the `pass init` command by indicating the new gpg ID (or multiple keys to have it available under multiple devices that dont share the same key to limit the risks of key leakage).
Note that you can also have a subfolder encrypted under a specific key (it can be specified using the `-p/--path=` option for `pass init`) if you want to share it to some other devices, or to separate work from personal passwords.
It should be possible to use [`git submodule`](https://git-scm.com/book/en/v2/Git-Tools-Submodules) as well, but I didnt try.
To finish:
```sh
pass git <whatever you want>
```
To do whatever you want with git, especially *dirty git* 😉
And finally, I'm using [password-store](https://f-droid.org/en/packages/dev.msfjarvis.aps/) on my android phone.