pass is a personal password manager for Unix. It lets you encrypt your passwords with gpg and store them with git.
Is this really such a good idea? I'm really scared of my info becoming unrecoverable. If I have a brain injury, I could forget my gpg key password. Not to mention losing my key. If I back it up on the cloud it's useless. If I store it in real life, my entire digital life can be wiped out by a fire or a flood. If I back it up in multiple places, my security is reduced.
Is pass provably more secure than cloud password managers?
>If I have a brain injury, I could forget my gpg key password You'd lose every other password too, so no problem there >If I back it up on the cloud it's useless How so? >If I store it in real life, my entire digital life can be wiped out by a fire or a flood. If I back it up in multiple places, my security is reduced. Just put a mirror in your dad's basement without telling anyone lmao, it's not rocket science
Michael Thomas
If I have a brain injury I'll be off to Switzerland to kill myself so idc
Juan Brooks
No, use keepass.
If you're worried about losing the master password, keep it somewhere safe written down on a piece of paper. If you're worried about losing the database, store it in multiple places. My solution is to have a server that hosts the file. Accessible anywhere in the world. Backed up regularly with scripts.
There's no defending against brain injury. Wear a helmet.
Isaac Barnes
I use it, pretty cool. Sync it with gitlab, have a copy on my phone and laptop.
Should probably sync with my home NAS instead.
Nicholas Wright
if you keep it on like three different devices, the odds of it disappearing are pretty high
Mason Parker
>If I have a brain injury, I could forget my gpg key password How does this make it any better/worse? You would have lost your passwords anyway. >If I store it in real life, my entire digital life can be wiped out by a fire or a flood. If I back it up in multiple places, my security is reduced. Same here.
You don't actually mention any reason why this method is worse then any other method.
Eli Young
Have you considered a fiscal notepad? If you are too old or retarded to not remember all your passwords, that is the way to go >Inb4 not secure Only if you are retard, and you could lose everything on pass just as easy. You only need to be distracted one time to fuck it all up.
Caleb King
s/fiscal/physical/ ftfy
Noah King
Recovery key in bank safety deposit box and a note that it is there
The brain injury would probably make you a turnip though so what good would it do you
Noah Sanchez
> You only need to be distracted one time to fuck it all up. How so?
Caleb Rodriguez
Write the master password on your penis. It's not like anyone else will ever see it.
Jayden King
>Keepass I think I trust gpg plus git more >How would the cloud help you with forgetting your password? Who forgets their password anyway? Phone recovery. "I'll never forget my password" is a pretty flimsy thing to risk your entire digital life on >How does storing your gpg key in the cloud make it less secure? That's the same as storing your passwords in the cloud.
Jose Morris
With pass, the gpg key and the user are the weakest point, if something tragoc happens with one of this two, All is lost. Am I correct, or I am assuming it wrong?
Caleb Evans
Tragic
Ethan Russell
You are correct. My gtg key is on my laptop and my phone (both of which have pass installed) and my home NAS. If you are really paranoid, buy one of those fancy magnetic tapes and store somewhere secure.
My passwords are synced with private gitlab repo.
Logan Turner
>If I have a brain injury, I could forget my gpg key password what
>That's the same as storing your passwords in the cloud.
if it's behind a 23-character master password, what's the issue? I could even post mine here, in fact I store the db in many devices as well as in "the cloud", good luck cracking it.
Dominic Brown
Now you have 3 weak points to keep an eye on. And all are insecure, they are all in plain sight and have no "camouflage". A physical handbook in other hand, is a unlikely place to store secure information, if you are less than 40yo. In a worst case scenario, the last place the feds are going to look for a gpg key, are in the physical handbooks and books in your home. And the best place to secure X, is in the last place someone would ever look for X.
I am not taking in consideration practicality, but only security.
Carter Turner
I built a custom usb drive to store my db and my key to it.
It looks like a normal cross necklace of wood, nobody would know it's a usb drive unless you take it apart.
Like pic related, except it smaller both in height and thickness, like a normal cross. Only 4gbs though. And it doesn't have the ugly line where you can see it's split because I used a different method (a small door in bottom of it which you can move and then the usb plug comes out)
>Now you have 3 weak points to keep an eye on. And all are insecure, they are all in plain sight and have no "camouflage". Why do I need it? My GPG key has 20 characters password of itself. So, even if somebody actually gets both my GPG from one of the 3 devices in the world that have it and my passwords, they still need the master key that's only in my head.
And if you are extremely paranoid, you can use slave keys (or however they are called) and change them every week with convenience, using your main key that is never on you.
>the last place the feds are going to look Is this such a big concern for Americans? I just don't want anyone in my accounts.
Hudson Walker
>I just don't want anyone in my accounts That is likely to happen because you acc/pass is on a database, that can be secured with a default admin password.
See, if your data would leak, it's likely to not be from you, but from a insecure database. If you keep good tabs on all you passwords, you don't really need a password manager. It would only act as a safekeeping for a attempt of hacking directions only for you. And such scenario would only happen if you are a high profile target or work for a company that have valuable data.
Nicholas Anderson
I disagree. With a password manager all my passwords are sufficiently secure (30 characters) and unique. Therefore no matter what one site leaks anything, all the other are secure. Plus I don't have to remember that many passwords.
Brayden Ross
great, now your security has gone from a 2048 bit key to 184 bit.
Dominic Hill
good point. but i still prefer a analog method of safekeeping my shit, and that will be a more secure and could give a plausible deniability in a more digital /technological centred society.
t. already raided once by the feds
Luis Cruz
Why did they raid you? Also, what would you in a situation where you're raided and need to dispose of the passwords to protect your security? I do the same as you.
Julian Long
>I have a brain injury, then you will fit well on Jow Forums butt :DD :DDD
Brayden Watson
what are you talking about? if you have multiple weak password, generally only one needs to be broken, the e-mail's , then others can be reset.
Isaiah Wilson
>afraid of brain injury >not wearing a xiaomi helmet with rgb controller
Yeah, you deserve it
Christian Murphy
Why do you think people use long pgp keys? Why do you think people don't use 184 bit keys, but instead use 2048 bit keys? Because it's harder to break. Why are you even using gpg if it's ultimately just protected behind a SECRET key that you've made PUBLICLY available with only 184 bits to break?
Matthew Ramirez
pass is overcomplex and the authors don't really seem to "get" unix design while touting pass as being the pinnacle of it
Jacob Torres
What would be a more Unix like design? Genuinely curious, not questioning you.
Ryan Hernandez
the unix design would be to simply print every database line to standard output with (for example) tab-separated formatting ready to pipe through standard unix tools like grep and awk, like this:
here i use "|" instead of tab because i think tabulation doesn't translate well to Jow Forums code tags
pass has the right fundamental idea though: just use gpg in a small wrapper script, and use a password-protected key. i just don't see the need for 700 lines of bash script when a few lines would achieve what i said above and would fit better with the unix approach to program design.
Aaron Murphy
>If I have a brain injury, I could forget my gpg key password this is actually one of my biggest fears
Wyatt Myers
and my solution is a pass manager but with the main password written physically down
Chase Parker
don't worry about losing passwords for websites because you can just reset the password on everything for local encryption there is no reason to have a manager for different passwords because why is one password to unlock 20 passwords more secure than 20 passwords? you may as well be using one
Hudson Cruz
>why is one password to unlock 20 passwords more secure than 20 passwords? Because you need to have access to actual hardware to open all the other 20?
Jeremiah Roberts
>the unix design would be to simply print every database line to standard output with (for example) tab-separated formatting ready to pipe through standard unix tools like grep and awk, like this:
and that design philosophy is fucking wrong. the age of throwing untyped strings of bytes at program stdin's should have ended forever ago.
Jordan White
>remember a bunch of different passwords that are inherently limited by our brains capacity vs >remembering one complex, nearly unbreakable password and having 128 character passwords for everything
Jackson Davis
relevance?
>remember one password okay you now effectively have one password when that one password is compromised, "everything" is compromised
Tyler Kelly
>relevance Significantly harder to obtain the passwords.
Jackson Nelson
>when that one password is compromised, "everything" is compromised Only when you have the GPG file for that too. And the GPG file (if it is even sent over the net at all) is encrypted with "unbreakable" one-time password whet sent over the network.
Joseph Jones
but there isn't a point to having 20 passwords unlocked by one password at that point you could have just used the one uniform password and you'd be equally insecure
the scope we're talking about is local, isn't it? that's what the discussion is about, local encryption of course physical access is there
Dominic Edwards
it's only 700 lines because bash is shit, but also because pass does a lot more, like firefox integration and otp plugins.
Michael Morris
>you could have just used the one uniform password and you'd be equally insecure What? I use one uniform password => any leak on any website and all of my accounts are compromised. Right now any leaks will result in only 1 service being compromised.
To achieve the same effect with pass you need physical access to my hardware and a the password that is not written anywhere in the world and is unique.
>local encryption Why do you even need more than 2 local passwords? 1. For full disk encryption in case of access to your hardware 2. Strong root password in case of remote access
Elijah Stewart
all web passwords are compromised when your email password is, there isn't a point to discussing web passwords, we're talking about local passwords
so you only need a physical keylogger attached one time, okay, i completely understand
John Ramirez
lmao you think asymmetric key sizes are the same as symmetric. A 2048 bit rsa key has (roughly) the strength of a 192 bit symmetric key. 768 bit rsa keys are easily broken with only a few million dollars worth of supercomputer but even a 60 bit password with a good key derivation function is reasonably secure, and 128 bit aes is overwhelmingly secure.
>Sounds like you're full of shit user An rsa key is huge number which is the product of two prime numbers. Cracking the key is done by factoring the composite into the two secret primes. This is pretty easy to do to a 128 bit number on consumer hardware. A symmetric key is just straight up a secret. You have nothing to work from, the only thing you can do is guess. Going through every 128 bit number in an exhaustive search takes a long, long time. Even with the entire planet's computational power you aren't doing it on geological time scales.
Adam Price
Strong user password in case of remote access. That makes three passwords.
Four for your keepass database.
But more than that? Nah.
Although that said I do have more.
Hudson Nelson
>I think I trust gpg plus git more It's not that simplistic. There is lots of glue logic and interface impedance. I haven't followed it but there has at least one bug around that already. Keepass is more mature.
Brandon Gomez
>You have nothing to work from A human wrote the password. Realistically, you don't need to try every single value.
Landon Robinson
There's also a difference between a password fed into a good key derivation function and a straight key. A 60 bit key is easily cracked. A password with 60 bits of entropy fed through argon2 is secure enough that only state sponsored attacks are feasible, and it would cost a lot lot of money.
Jeremiah Turner
>Strong user password Why? Unless you have some retarded policies like using "sudo", you don't have to worry about that.
>all web passwords are compromised when your email password is That's why you use services like "protonmail" that require 2 or at least use 2 factor for the one with access to your accounts.
>so you only need a physical keylogger attached one time At that point we can start discussing the possibility of physical torture. Just as likely.
Joshua Cook
>pass does a lot more, like firefox integration and otp plugins. so unixy!
if you love powershell so much, stick to fucking windows
Charles Russell
>if you love powershell so much, stick to fucking windows
or maybe you accept the future is now faggot. Windows does a lot of things right and linux is now just getting the userspace and kernel support for great things.
Eli White
so how would you implement grep in your magical typed clusterfuck shell, smart guy? or sed? awk? wc?
you wouldn't? you'd implement a dbus interface exposing methods that you'd call into to get the exact information you need in a structure that doesn't require a fucking string manipulator. literally every other OS, mac and vindoos, does this and only DEs in linux really use it.
Parker Ramirez
what does dbus have to do with, say, searching for a string in hundreds of files?
Austin Williams
alright if you're not going to respond to my posts in a timely manner, fuck off
Nathan Morgan
same 2bh, have a few diceware passwords for some stuff. wrote them down as a last resort.
William Hughes
Add a keyfile that you never upload to the internet only pass between devices physically. Though it becomes pretty easy to guess what's the keyfile when the same file is on every drive you find.
You can get pretty autismo on security, so figure out what limitations are acceptable. Such as if someone breaks into your house with the sole objective to steal your passwords then all bets are off.
Evan Butler
>If the world ends I won't be able to use my accounts. It's still better, if you use the same password everywhere then you have loads of potential failure points. If you use different passwords but no manager then you're at risk of forgetting, or your passwords are weaker than they could be, or you have physical vulnerabilities from writing them down in an open notepad or notebook. If you use a password manager, or hell, manually encrypt your passwords yourself, or even create an algorithm that lets you generate your password in your head on the fly based on the site name. Then you have the least amount of potential failure points. Simple as that.
Politics And I didn't said to dispose, but to hidde more effectively. Dispose something can be use as destroying evidence and/or they can easily acuse you of obstruction of justice