Rafi's

# pass - Free and wonderful password management

I’ve started using the Internet back in ’96 and I have accumulated several hundreds of password credentials for different sites. This entails my long journey to integrate a comfortable workflow for managing credentials in my day-to-day work, and pleasure.

# Other Password Managers

In-fact, I started using password managers way back when I was still stuck with Windows and Roboform (opens new window) in the early ’00s. When transitioning to Linux and macOS, Roboform didn’t support these platforms back then. And besides, it was becoming too corporate.

Cloud-based managers were out of the question, so I started testing 1Password (opens new window). With a slick design and comfortable extensions for popular browsers — it was a nice experience, but 1Password started becoming an expensive solution.

I dabbled with KeePass and KeePassX for a while until I gave up, browser integration was far from perfect.

# The Beauty of Password-Store

I then found password-store (opens new window), the standard unix password manager. Immediately, I fell in-love:

Password management should be simple and follow Unix philosophy (opens new window).

Pass (in short) stores passwords in gpg (opens new window) encrypt files whose filename is the title of the website or resource that requires the password. Using other Unix commands like tree, git, etc. pass provides an extremely easy & secure workflow with passwords, and optionally wraps around git for automatic commits and human-readable history diff. And it’s open-source.

# Tips

# Getting Started With Password-Store

# Setup GPG

  1. Download gnupg.org (opens new window) or gpgtools.org (opens new window).
  2. Depending which suite you download, you’ll need to generate a new key pair.
  3. I recommend to increase the key size to the maximum of 4096.
  4. Enter your real Email
  5. Use a secure passphrase

Use the graphical interface of gnupg (opens new window) or gpgtools (opens new window), or the command-line:

gpg --gen-key
gpg --list-secret-keys --keyid-format LONG

You can now copy the GPG key ID you’d like to use from the list, and for example print the GPG key ID, in ASCII armor format:

gpg --armor --export

# Setup Password-Store

Make sure to install git and tree if you don’t have them already. And, depending on your operating-system, choose the one for you:

brew install pass      # Mac OSX with Homebrew
port install pass      # Mac OSX with Macports
apt-get install pass   # Linux with Ubuntu
pacman -S pass         # Linux with Archlinux
yum install pass       # Linux with CentOS/RedHat

# Managing Passwords with Password-Store

pass is the only command you’ll need. You can insert, edit, grep, mv and so much more. Here are a few examples:

pass insert joe/gmail.com    # Create a directory nested password
pass insert -m wallet/visa   # Create a multiline password
pass edit joe/gmail.com
pass grep gmail
pass find visa

# Show all password list:
pass

# Show password contents:
pass joe/gmail.com

Don’t forget to integrate and use pass's bash/zsh completion support.

# Password-Store Browser Integration

password-store has many Client integrations (opens new window), and even extensions (opens new window). The best browser integration I found is browserpass (opens new window). You will need to first install its package client, and then the Chrome or Firefox extension.

browserpass is smart enough to find multiple matches for current site.

I bind Alt+ k to browserpass, so I can quickly search, filter, and apply credentials to a form, and auto-submit.

# Other Integrations

There are many clients for different devices out there. Here (opens new window) are a few.

# Android App

Android Password Store (opens new window)” is amazing. It allows management of passwords and auto-typing into forms in my mobile Chrome, what a pleasure!

Android Password Store in action.

# iOS App

I don’t own an iOS, but passforios (opens new window) looks nice.

# Pass Window (Mac) Integration

What about other windows? Browsers aren’t the only applications that require passwords from the user at times.

We’ll create a global keyboard shortcut to grab current window’s title and show pass entry information, without the password. The password is copied to clipboard for 45 seconds.

Run Automator, and create a new service:

  • Add “Run AppleScript” with:
on run {input, parameters}

    global frontApp, frontAppName, windowTitle

    set windowTitle to ""
    tell application "System Events"
    set frontApp to first application process whose frontmost is true
    set frontAppName to name of frontApp
    tell process frontAppName
    tell (1st window whose value of attribute "AXMain" is true)
    set windowTitle to value of attribute "AXTitle"
    end tell
    end tell
    end tell

    return frontAppName
end run

  • Add “Run Shell Script”, select “Pass input [as arguments]”, with:

    ~/.local/bin/urlpass “$@”

  • Save service.

  • Assign keyboard shortcut in System Preferences / Keyboard / Shortcuts.

  • Create ~/.local/bin/urlpass:

#!/usr/bin/env bash
# Import the gpg-agent-info variable and export it
eval $(cat "~/.gpg-agent-info" | cut -d: -f 1)
export GPG_AGENT_INFO
for app in "$@"
do
    # Copy password to clipboard
    if pass -c "apps/$app" 1>/dev/null; then
    # Show notification with all other info except the 1st line
    data=$(pass "apps/$app" | sed '1d')
    terminal-notifier -message "${data:-N/A}" -title "$app"
    fi
done
  • Set execute permissions: chmod ug+x ~/.local/bin/urlpass

Try it out by saving a password called apps/somename and click your shortcut once focused on the app. You’ll now find the password copied to your clipboard.

# Closing Notes

password-store allows true control of your passwords in an extensible, open way. Great amount of clients for different devices, start using pass today!

Last Updated: 12/26/2018, 11:15:30 PM