pass, a ridiculously great password manager (intro)

Sunday , 10, November 2019

Getting Started

Install pass – use the package manager for your distro.

$ sudo apt install pass
$ sudo yum install pass
$ sudo pacman -S pass

Let’s try it out.

$ pass
Error: password store is empty. Try "pass init".

$ pass init
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...

We need a GPG key. Your distro should come with GNU Privacy Guard (GPG) installed already; if not install it now.

Create GPG Key

Create a new GPG key just to use with this program. There are multiple ways to create keys with GPG, with different levels of control over options:

$ gpg --quick-generate-key
$ gpg --generate-key
$ gpg --full-generate-key

Note that GPG shows you a 40 byte hash of the public key when you generate one. You can use that to associate the public key with your password store. If you need it at some point you can always see it with the following command.

$ gpg --list-secret-keys --keyid-format LONG

Using the command shown above to list your GPG keys you should see the same hash you generated displayed, along with the a fingerprint – the last 16 bytes of it. Either one can be used to initialize the password store; we’re going to use the shorter of them.

Create Password Store

When you create a new password store using pass it creates a hidden folder in your home directory.

$ pass init "BE3507CE22462669"
mkdir: created directory '/home/mdw/.password-store/'
Password store initialized for BE3507CE22462669
$ pass ls
 Password Store

pass is telling us we have an empty password store. Notice the directory where our passwords will be stored has been created with permissions of 700 so that only we can access the encrypted password files inside.

$ ls -ld ~/.password-store/
drwx------ 2 mdw mdw 4096 Sep  1 13:12 .password-store/

Using the Password Store

Our password store has been created but it’s empty. Let’s create a new password using the insert option to see how it works.

$ pass insert
Enter password for 
Retype password for 

Great job, our first password has been created for Check it by viewing the list with the ls option, which is the default option, so it’s often omitted.

$ pass ls

There it is, our one entry. ls is typical of pass options, patterned after familiar Unix commands. If we want to view the password for we can use the same ls option with the name of one entry to display.

$ pass ls

Note again that ls is the default option and we can omit it.

Creating a multiline entry

We can also create multiline entries, for those times we want to store more than a simple password. Pass is simply encrypting a text file for each entry, so we can put anything in them. It’s a good idea to put the password on the first line however, since as we’ll see later you can easily copy it into the paste buffer.

$ pass add -m anothersite
more info about this site

The -m switch indicates we want to insert multi-line data, and in case you didn’t guess add is an alias for insert. If we now display the contents of anothersite we’ll see both lines displayed. The multiline content can be as many lines as needed, as it’s simply written to a text file.

$ pass -c anothersite
Copied anothersite to clipboard. Will clear in 45 seconds.

Using the -c switch is one of the best features of pass. Many password managers allow you to copy a password to be pasted into a web form and this is great because it eliminates the need for a browser plugin which, is a rich attack vector. Unlike most, pass properly removes it from memory after allowing a reasonable amount of time to elapse, 45 seconds by default. You can adjust this time interval by setting the PASSWORD_STORE_CLIP_TIME environmental variable.

Generating a password for a new entry

$ pass generate foo
The generated password for foo is:

$ pass generate bar 12
The generated password for bar is:

Another useful feature we get with pass is generating passwords. Instead of creating a new password entry by using the insert option, we can use generate and pass will generate a password for us using /dev/urandom. An optional trailing argument specifies the desired length, in the example above we get a twelve character password. The default length can be modified using the PASSWORD_STORE_GENERATED_LENGTH environmental variable.

$ pass generate -n strictsite
The generated password for strictsite is: U9084dDTh3zW0biZxIrfZ9uRl

Use an additional switch -n to use only alphanumeric characters. The default character set can be changed as you might suspect, by setting environmental variables PASSWORD_STORE_CHARACTER_SET and PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS.

Be sure to watch for the next installment where we’ll dive a bit deeper into how pass actually works, and ways to use this in the way that makes the most sense for you. Stay Tuned!