Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
aborsy 3 days ago

I have heavily used Pass over the years. Here are some of its pros (an update to my comment several years ago):

* Your secret key can be stored in Yubikey, handled by a dedicated OpenPGP agent. This allows deriving a strong key from a weak one. Your password is basically a short PIN with max 3 tries. Every password retrieval can require a physical touch. This is convenient and secure!

Pass makes sense if you use it with a hardware key, with touch enabled. With this setup, it’s hard to beat its security.

* It uses public key cryptography, and comes with its advantages. You don’t need your master password to add/encrypt passwords. You only need that for decryption. Less exposure of master key, and more convenience.

For that reason, it’s well suited to share passwords with other people or devices. You can encrypt to multiple public keys. This adds multi user and device support.

You can easily add a backup offline public key (which you may print) if you lose your Yubikey.

* You can decrypt a single password without decrypting and exposing other passwords. The passwords are isolated, if you use Yubikey.

* Searching passwords is quick and transparent. You easily see what is in your store.

* You can use it programmatically, eg, your backup script can grab a password from the store.

* It’s a short bash script that you can verify, and delegates encryption to a dedicated well-audited cryptographic tool.

* PGP is a standard, and GPG and git are widely available. There is no database to break or migrate. You can read your passwords anywhere and in the future.

* The script is written by the creator of the acclaimed Wireguard!

There are also cons.

* Some people don’t like that it leaks metadata (filenames, and password tree), though there are versions of pass that fix it.

* Lately gpg is causing some troubles with Debian Trixie. GPG agent frequently locks the Yubikey and requires restarting pcscd (probably due to conflicts with pcscd). There is a similar tool Passage using Age, maybe that solves it.

* There are mobile apps, but they are not as frequently updated as something like Bitwarden apps (which has client for every OS, and frequently fixes bugs and adds functionality).

* I haven’t used and not sure how good browser support is.

Here is a post on a similar password management with GPG replaced with Age

https://words.filippo.io/passage/

3036e4 2 days ago | parent | next [-]

About mobile app, I never used pass until today, but it seems great, and so far I only tested it by installing it on my phone in Termux. Can't think of a reason for me to use a special app when running it in Termux works so well. Was happily surprised that even pass show -g worked out of the box, copying output to Android clipboard.

That is also nice since I have ssh already set up so syncing to my computer from the phone will be easy.

hazek112 3 days ago | parent | prev [-]

Any recs for yubikey setup guides with pass?

aborsy 3 days ago | parent [-]

Nothing specific to pass. It’s just Yubikey setup with GPG; that’s part of the appeal!

https://github.com/drduh/YubiKey-Guide

This guide covers many adjacent topics; the relevant part is generating the secret key inside Yubikey, or in an airgapped system and doing “key-to-card” in gpg.