Pass : Open Source to the rescue

As I moved my main workstation from an Apple Laptop running MacOS to a custom built PC running Linux I had to revisit a few choices. As I pointed out in a previous post ("New system") I was suddenly back with a system based on OpenSource and embracing it. Using non free software on Linux is possible, but they are usually more rare than OpenSource products relying on open standards and your own infrastructure.

One example of this is password management. In the last 10 years password management has moved from an hypothetic tool to a necessity. When Internet started to become popular we only had to remember the password to our one email account. Nowadays we are lucky if we only have to login in one service every day. Instant corporate chat, VPN, code repositories, ssh keys, multiple email accounts, online shops, gaming accounts, bank accounts, online libraries : we can barely remember all their names.

The online comic XKCD made a now [https://xkcd.com/936/](famous episode about passwords).

So a lot of us, hopefully, have started to use and rely on password managers. Some use notebooks (hmmmm "ok"), some use software. There are commercial, proprietary ones and then there are a few OpenSource ones.

Pass : the standard unix password manager

One of the latter is pass. Pass relies mainly on two OpenSource bricks : git and gpg. Git allows to version every single change made to the collection of passwords within a repository. Gpg allows to encrypt what ever is stored.

Pass uses one file per entry with the first line being considered the default value to display or load in the clipboard.

Pass works well on many platforms : MacOS, Linux, BSD, iOS, Android and Windows. Since the two main components (GPG and Git) can work on all of them, so does Pass.

But Pass is mostly command line friendly, at first, so several plugins and interfaces have been developed to integrate it well on all those platforms.

Relying on pass

If the big commercial password managers rely on shared data volumes such as iCloud, Google Drive and Dropbox, Pass can rely on private Git repositories. Those ones can be setup and kept for very little money in different places such as Github, Gitlab, Bitbucket or your own instance of Gitea.

You can then use pass on multiple devices and computers, sharing any change to your library of passwords through git.

Personally I have added a little function in my zshrc to trigger, by hand, a synchronization of my password store :

pass-sync () {
  cd ~/.password-store
  git fetch gitea
  git pull --rebase gitea master && git push gitea master
  cd
}

Because of the && I am sure that the git push won't happen if there was a conflict during rebasing. I prefer to resolve such conflicts by hand if they were to happen.

This could be tied to a crontab entry, and possibly a hook in the repository itself

Pass extensions

As twitter@aspleenic wondered if there was a way to handle one time passwords (OTP) wihtout having to set it up everytime we get a new phone (the usual receptacle for our OTP authenticators) he was pointed to 1Password. But I was perplexed. Is that the only application doing this ? Is pass able to do this ?

It turns out that Pass has an extension for this pass-otp. The iOS app passforios supports that too.

And while I have not found a plugin to use pass with Albert I am not too worried about it for now. Both Firefox and Chrome have plugins for it so most uses are covered with this and the rest I can handle in the terminal.

Nothing is free

Of course, relying on pass and a private git repository is not free. Hosting has a cost and one you might have to pay yourself if your company isn't covering this cost. So, is it worth it compared to 1Password ?

That's for each one of us to decide. Yet, pass is OpenSource, it relies on OpenSource tools, open standards, and ordinary unix directories. All this makes it more auditable and more secure than most commercial and closed source alternatives. Hosting git repositories also relies on SSH and Linux or BSD servers all of which is a very common knowledge among system administrators around the world.

Why the switch ?

To be honest, I first tried to install and use 1Password on the Linux workstation. And then, because of a GPG signature issue on the package for Arch Linux I could not install it. Since I have been using Pass in a limited way for my personal use and relying on it for a professional use I decided to give it a try.

A 5 minutes search gave me all the answers I needed :

  • iOS client
  • git private repositories
  • OTP

After setting up the private repository and setting up passforios on my iOS devices I wrote the little script I shared earlier in this article to keep my MacOS and my Linux computers in sync. Lastly I started migrating all my passwords from 1Password to pass through the iOS and MacOS devices.

Pass or others

Setting it up and using it seems a bit annoying at first but Pass relies on tools that most people who have been working with Linux or BSD systems in the last 20 years are familiar with. And since it also works with our mobile devices there is little that we can't do really. Most people will still be happy with paying a monthly or yearly fee for one of the commercial password managers, and they should. It's better for them to rely on one of the main commercial password managers that are used by many, well maintained and scrutinized rather than using the same password everywhere.

So, pass is a decent and almost complete password manager for all our devices, if we can, we probably should look into it and invest the necessary time to be both secure and independent for this critical piece of our digital life.

And if you want to add a bit more security to this : Fred de Villamil has written a post about how to use a Ledger Nano S to secure SSH keys.

Need help ?

We specialise in helping small and medium teams transform the way they build, manage and maintain their Internet based services.

With more than 10 years of experience in running Ruby based web and network applications, and 6 years running products servicing from 2000 to 100000 users daily we bring skills and insights to your teams.

Wether you have a small team looking for insights to quickly get into the right gear to support a massive usage growth, or a medium sized one trying to tackle growth pains between software engineers and infrastructure : we can help.

We are based in France, EU and especially happy to respond to customers from Denmark, Estonia, Finland, France, Italy, Netherlands, Norway, Spain, and Sweden.

We can provide training, general consulting on infrastructure and design, and software engineering remotely or in house depending on location and length of contract.

Contact us to talk about what we can do : sales@imfiny.com.