64 lines
3.7 KiB
Markdown
64 lines
3.7 KiB
Markdown
---
|
||
Title: Manage your passwords with pass
|
||
Date: 2019-04-22 19:00
|
||
Modified: 2024-02-24 18:00
|
||
Author: Fabrice
|
||
Category: software
|
||
Tags: pass, git, cli
|
||
Slug: password-store
|
||
Header_Cover: images/covers/clovers.jpg
|
||
Summary: A simple password manager that relies on gpg, and synchronized with git.
|
||
Lang: en
|
||
---
|
||
|
||
As security breaches are discovered regularly, and so leakage happens, it is recommended to have a different password on each account.
|
||
However, this task is obviously a pain to maintain by hand. I did use a notebook back in 2003, which I lost within a month, given that I'm a very organized person.
|
||
|
||
Hopefully, many password managers exist, with similar features: cross-platform (especially smartphone support), password generation, browser integration…
|
||
|
||
I'm not here to compare them, if you want to give a look, [Wikipedia](https://en.wikipedia.org) provides a nice comparison table [**there**](https://en.wikipedia.org/wiki/List_of_password_managers).
|
||
|
||
However, thanks to [moviuro](https://try.popho.be), my choice is [pass](https://www.passwordstore.org/) along with [pass-otp](https://github.com/tadfisher/pass-otp#readme) (and [passmenu](https://git.zx2c4.com/password-store/tree/contrib/dmenu)).
|
||
I don't intend either to make a comprehensive guide, as those already populate the internet, for example [**here**](https://medium.com/@chasinglogic/the-definitive-guide-to-password-store-c337a8f023a1).
|
||
|
||
To make it short, pass is a bash scripts using [git](https://git-scm.com/), [gpg](https://www.gnupg.org/) written by [zx2c4](https://www.zx2c4.com/).
|
||
|
||
Here are just some commands I often use.
|
||
|
||
```sh
|
||
pass generate -i <pass-name>
|
||
```
|
||
To regenerate a password, the `-i` is important to avoid overwriting the whole file and having to rely on [dirty git]({filename}/cheat-sheets/git.md) to withdraw your mistake (`pass <cmd>` will automatically commit your change)… I sometimes forget it, so let's put it here as a reminder.
|
||
|
||
Sometimes it can be useful to specify the accepted special chars, this can be done using the `PASSWORD_STORE_CHARACTER_SET` environment variable.
|
||
This value is interpreted by the [`tr` command](https://en.wikipedia.org/wiki/Tr_(Unix)),
|
||
hence to create a PIN, you can use the following value: `PASSWORD_STORE_CHARACTER_SET='[:digit:]'`, then specify the length with the last argument.
|
||
|
||
For instance, to generate a 6 digit PIN:
|
||
|
||
```sh
|
||
PASSWORD_STORE_CHARACTER_SET='[:digit:]' pass generate <pass-name> 6
|
||
```
|
||
|
||
I didn’t manage to specify how to have at least one of them, so I run the command multiple times (with the `-i` option to change the file in place after the first one)…
|
||
It pollutes a bit the git history but, well… it works.
|
||
|
||
For instance, for a service supporting only the following characters: `-_@$<>` of at most 20 char long (fictive example), you can use the following command:
|
||
|
||
```sh
|
||
PASSWORD_STORE_CHARACTER_SET='[:alnum:]-_@$<>' pass generate <pass-name> 20
|
||
```
|
||
|
||
If for some reasons you want to rotate your keys, you can rerun the `pass init` command by indicating the new gpg ID (or multiple keys to have it available under multiple devices that don’t share the same key to limit the risks of key leakage).
|
||
Note that you can also have a subfolder encrypted under a specific key (it can be specified using the `-p/--path=` option for `pass init`) if you want to share it to some other devices, or to separate work from personal passwords.
|
||
It should be possible to use [`git submodule`](https://git-scm.com/book/en/v2/Git-Tools-Submodules) as well, but I didn’t try.
|
||
|
||
To finish:
|
||
|
||
```sh
|
||
pass git <whatever you want>
|
||
```
|
||
To do whatever you want with git, especially *dirty git* 😉
|
||
|
||
And finally, I'm using [password-store](https://f-droid.org/en/packages/dev.msfjarvis.aps/) on my android phone.
|