The password model is broken

Pretty much every security expert would agree that passwords are broken. They have the distinction of being difficult for legitimate users to manage, and easy for hackers to crack. Massive password leaks are a commonplace event in the modern era, which means that password re-use across multiple sites is a huge security vulnerability. Of course, remembering a unique, strong passphrase for every site you might use would be a heavy task for a mere mortal. Two-factor authentication is one solution that has been put forth to address the issue, which also imposes a higher burden on the end user, and itself can allow for other vulnerabilities, especially when delivered over SMS, despite the purpose being the strengthening of one’s security.

Password managers help, but they also make juicy targets

Several password managers have been created to address this problem. I used to use LastPass as my password manager of choice, but never felt totally comfortable with the fact that my data was stored on someone else’s server, especially given that such targets are quite juicy for hackers. Perhaps more vulnerable than external server storage, many password managers are liable to leak information through their browser extensions or mobile apps. There are browser extensions available for pass as well, though I prefer to eschew this route.

Welcome to Pass

When I heard about pass I was intrigued about migrating my data from LastPass and switching to this as a multi-platform solution. It is written for Unix, so works OOB for platforms like MacOS and Linux, but clients also exist for Windows, Android, and iOS, and there are a wide variety of open-source external tools you can use to help you manage your password store, though I haven’t found them necessary personally.

At a high level, pass stores your passwords in a directory of GPG-encypted files, optionally managed with version control via git, which allows you to sync changes across multiple devices and recover from changes you want to undo. This lightweight nature of pass allows you to use standard system utilities for managing these files how you see fit. GPG offers strong encryption, and storing your passwords in this fashion severely reduces the attack surface visible to a malicious actor.

If you already utilize a password manager…

If you already use a password manager, there are a variety of scripts available to utilize exported data from these platforms and migrate them into pass.

Let’s install GPG

You’ll probably want to install GNU Privacy Guard, a free implementation of OpenPGP, if running on a Unix system like MacOS, Linux, etc. The “PGP” in OpenPGP stands for “Pretty Good Privacy”, which is itself a proprietary technology currently owned by Symantec. I’ll be covering the steps for GPG on a Unix system explicitly, although free implementations also exist for Windows.

You may already have GPG installed, which you can check by running “which gpg” in the terminal. If not already installed, you can easily install it via your package manager of choice.

# MacOS
$ brew install gpg
# Debian, Ubuntu, etc.
$ sudo apt-get install gpg
# Redhat, CentOS, etc.
$ sudo yum install gpg

Creating GPG keys

You’ll want to run the following command to generate a GPG key.

$ gpg --gen-key

You’ll be prompted with a series of questions.

For option 1 (what kind of key?), I’d recommend the default (1/RSA and RSA).

Option 2 relates to the key size, with more bits being more secure, but also taking longer to decrypt. 2048 bits is the current default, which is considered fairly secure for now. Debate persists around how much is gained by 4096 bit RSA keys, though they are certainly stronger than 2048 bit RSA keys. Elliptic curve cryptography is an alternative encryption scheme which has been gaining stream, but there are debates as to the strengths of some of the current implementations, and the degree to which they were designed with potential vectors for exploitation by the NSA, as well as potential limitations to come in the light of the advent of quantum computing.

Option 3 relates to the expiration time of the key, which can be changed at any time.

Option 4 specifies a name for the key, which is required, whereas the subsequent options for email and contact are optional.

I’d recommend using a strong passphrase for your key as an additional level of protection!

Show me your keys!

You can list your GPG keys via the following command:

$ gpg --list-keys

Install pass

You can install pass via your package manager of choice:

# MacOS
$ brew install pass
# Debian, Ubuntu, etc.
$ sudo apt-get install pass
# Redhat, CentOS, etc.
$ sudo yum install pass

Initialize your password store

Pass will store your passwords in ~/.password-store. You can initialize your password store via “pass init” as below, substituting your own GPG key id for “ABCD1234”. You can see the GPG key id from the “gpg –list-keys” command, and the value you want to use is the 8-character code after the ‘/’ for the “pub” entry corresponding to your newly created key.

Initialize your password store with “pass init”:

# Fake PGP key ID, use your own...
$ pass init "ABCD1234"

Transfer exported data (if already using a password manager)

At this point, you can use one of the following scripts to export your existing data into your password store. Otherwise, it’s time to start adding some passwords to manage!

Synchronize with git

You can synchronize your password store with git via the following command:

$ pass git init

You can create a remote repository for your password store on another machine like so:

$ cd /path/to/password_store
$ git init --bare

And now you can add this repository as the remote repo on your initial machine with pass set up and set it as the upstream branch:

$ git remote add origin [email protected]:/path/to/password_store.git
$ git push -u origin master

And now you can synchronize changes to your password store via the standard git commands! (e.g., clone, push, pull, etc.)

On machines where pass is installed you can invoke “pass git <command>” to execute the git command for your password store.

Working with pass

Every password/piece of information is stored in a directory of files, and we can use basic file manipulation commands with pass like “ls”, “mv”, “cp”, “rm”, “grep”, “find”. Conventionally, the first line of the file is the stored password that will be copied to the clipboard with the -c option. Pass supports autocompletion in most shells, though some legwork may be needed to enable it.

Generating a new password with no symbols

$ pass generate -n allyourbasearebelongtous
The generated password for allyourbasearebelongtous is:

Generating a new password of length 22, copying it to the clipboard

$ pass generate -c somesite 22
Copied somesite to clipboard. Will clear in 45 seconds.

Showing the contents of a file

$ pass somesite (or: "pass show somesite")

Editing a file

$ pass edit somesite (uses the editor set in the EDITOR environment variable)
> y~!Q+'Ir[aK'(W_LhFK~Jg
> user: someuser
 rewrite somesite.gpg (100%)

Copying a password to the clipboard

$ pass -c somesite
Copied somesite to clipboard. Will clear in 45 seconds.

Searching your password store

$ pass grep someuser
user: someuser

Finding a file by name

$ pass find some
Search Terms: some
└── somesite

Move a file to a sub-folder

$ pass mv somesite somefolder/somesite
/path/to/.password-store/somesite.gpg -> /path/to/.password-store/somefolder/somesite.gpg
somefolder/somesite: reencrypting to ...

Examine the files in a folder

$ pass ls somefolder
└── somesite

Not just for passwords

As alluded to before, since everything is a file, we can also use pass to store any kind of textual information. We can just invoke “pass edit <filename>” or “pass insert <filename>” to create a new entry which can be populated with whatever data you wish.

Often, you’ll want to include data like usernames or PINs along with your password. You may put the username in the filename to distinguish between different accounts for the same site. I tend to put such information in the files themselves, while designating functional differences in the filename. For example, facebook-work vs. facebook-personal.

What about mobile?

As mentioned, there are pass clients available for Android and iOS that work really well once they’re configured. There’s been no looking back since migrating away from LastPass!

I won’t fully go into setting up an Android or iOS client, but in a nutshell, you can export your GPG keys in ASCII-armored form via an animated QR code.

Export your keys like so:

$ gpg --output mygpgkey_pub.gpg --armor --export ABCD1234
$ gpg --output mygpgkey_sec.gpg --armor --export-secret-key ABCD1234

You can find a program to convert an ASCII-armored PGP key to an animated QR code here, which you can use like this:

./ mypgpkey_pub.gpg public.gif
./ mypgpkey_sec.gpg private.gif