Is pass really such a good idea?

Recovery key in bank safety deposit box and a note that it is there

The brain injury would probably make you a turnip though so what good would it do you

> You only need to be distracted one time to fuck it all up.
How so?

Write the master password on your penis. It's not like anyone else will ever see it.

>Keepass
I think I trust gpg plus git more
>How would the cloud help you with forgetting your password? Who forgets their password anyway?
Phone recovery. "I'll never forget my password" is a pretty flimsy thing to risk your entire digital life on
>How does storing your gpg key in the cloud make it less secure?
That's the same as storing your passwords in the cloud.

With pass, the gpg key and the user are the weakest point, if something tragoc happens with one of this two, All is lost. Am I correct, or I am assuming it wrong?

Tragic

You are correct.
My gtg key is on my laptop and my phone (both of which have pass installed) and my home NAS. If you are really paranoid, buy one of those fancy magnetic tapes and store somewhere secure.

My passwords are synced with private gitlab repo.

>If I have a brain injury, I could forget my gpg key password
what

Attached: bateman disgust.gif (245x300, 1.97M)

>That's the same as storing your passwords in the cloud.

if it's behind a 23-character master password, what's the issue? I could even post mine here, in fact I store the db in many devices as well as in "the cloud", good luck cracking it.

Now you have 3 weak points to keep an eye on. And all are insecure, they are all in plain sight and have no "camouflage". A physical handbook in other hand, is a unlikely place to store secure information, if you are less than 40yo.
In a worst case scenario, the last place the feds are going to look for a gpg key, are in the physical handbooks and books in your home. And the best place to secure X, is in the last place someone would ever look for X.

I am not taking in consideration practicality, but only security.

I built a custom usb drive to store my db and my key to it.

It looks like a normal cross necklace of wood, nobody would know it's a usb drive unless you take it apart.

Like pic related, except it smaller both in height and thickness, like a normal cross. Only 4gbs though. And it doesn't have the ugly line where you can see it's split because I used a different method (a small door in bottom of it which you can move and then the usb plug comes out)

Attached: file.png (259x194, 37K)

>Now you have 3 weak points to keep an eye on. And all are insecure, they are all in plain sight and have no "camouflage".
Why do I need it? My GPG key has 20 characters password of itself. So, even if somebody actually gets both my GPG from one of the 3 devices in the world that have it and my passwords, they still need the master key that's only in my head.

And if you are extremely paranoid, you can use slave keys (or however they are called) and change them every week with convenience, using your main key that is never on you.

>the last place the feds are going to look
Is this such a big concern for Americans? I just don't want anyone in my accounts.

>I just don't want anyone in my accounts
That is likely to happen because you acc/pass is on a database, that can be secured with a default admin password.

See, if your data would leak, it's likely to not be from you, but from a insecure database. If you keep good tabs on all you passwords, you don't really need a password manager. It would only act as a safekeeping for a attempt of hacking directions only for you. And such scenario would only happen if you are a high profile target or work for a company that have valuable data.

I disagree.
With a password manager all my passwords are sufficiently secure (30 characters) and unique. Therefore no matter what one site leaks anything, all the other are secure.
Plus I don't have to remember that many passwords.

great, now your security has gone from a 2048 bit key to 184 bit.

good point.
but i still prefer a analog method of safekeeping my shit, and that will be a more secure and could give a plausible deniability in a more digital /technological centred society.

t. already raided once by the feds

Why did they raid you?
Also, what would you in a situation where you're raided and need to dispose of the passwords to protect your security?
I do the same as you.

>I have a brain injury,
then you will fit well on Jow Forums
butt :DD :DDD

what are you talking about? if you have multiple weak password, generally only one needs to be broken, the e-mail's , then others can be reset.

>afraid of brain injury
>not wearing a xiaomi helmet with rgb controller

Yeah, you deserve it

Why do you think people use long pgp keys? Why do you think people don't use 184 bit keys, but instead use 2048 bit keys? Because it's harder to break. Why are you even using gpg if it's ultimately just protected behind a SECRET key that you've made PUBLICLY available with only 184 bits to break?

pass is overcomplex and the authors don't really seem to "get" unix design while touting pass as being the pinnacle of it

What would be a more Unix like design? Genuinely curious, not questioning you.

the unix design would be to simply print every database line to standard output with (for example) tab-separated formatting ready to pipe through standard unix tools like grep and awk, like this:

% pass
master password:
example.com | user4123 | [email protected] | 123pass
slashdot.org | usernamexyz | [email protected] | Password123
...

% pass | grep slashdot
master password:
slashdot.org | usernamexyz | [email protected] | Password123

here i use "|" instead of tab because i think tabulation doesn't translate well to Jow Forums code tags

pass has the right fundamental idea though: just use gpg in a small wrapper script, and use a password-protected key. i just don't see the need for 700 lines of bash script when a few lines would achieve what i said above and would fit better with the unix approach to program design.

>If I have a brain injury, I could forget my gpg key password
this is actually one of my biggest fears

and my solution is a pass manager but with the main password written physically down

don't worry about losing passwords for websites because you can just reset the password on everything
for local encryption there is no reason to have a manager for different passwords because why is one password to unlock 20 passwords more secure than 20 passwords? you may as well be using one

>why is one password to unlock 20 passwords more secure than 20 passwords?
Because you need to have access to actual hardware to open all the other 20?

>the unix design would be to simply print every database line to standard output with (for example) tab-separated formatting ready to pipe through standard unix tools like grep and awk, like this:

and that design philosophy is fucking wrong. the age of throwing untyped strings of bytes at program stdin's should have ended forever ago.

>remember a bunch of different passwords that are inherently limited by our brains capacity
vs
>remembering one complex, nearly unbreakable password and having 128 character passwords for everything

relevance?

>remember one password
okay you now effectively have one password
when that one password is compromised, "everything" is compromised

>relevance
Significantly harder to obtain the passwords.

>when that one password is compromised, "everything" is compromised
Only when you have the GPG file for that too.
And the GPG file (if it is even sent over the net at all) is encrypted with "unbreakable" one-time password whet sent over the network.

but there isn't a point to having 20 passwords unlocked by one password at that point
you could have just used the one uniform password and you'd be equally insecure

the scope we're talking about is local, isn't it?
that's what the discussion is about, local encryption
of course physical access is there

it's only 700 lines because bash is shit, but also because pass does a lot more, like firefox integration and otp plugins.

>you could have just used the one uniform password and you'd be equally insecure
What? I use one uniform password => any leak on any website and all of my accounts are compromised. Right now any leaks will result in only 1 service being compromised.

To achieve the same effect with pass you need physical access to my hardware and a the password that is not written anywhere in the world and is unique.

>local encryption
Why do you even need more than 2 local passwords?
1. For full disk encryption in case of access to your hardware
2. Strong root password in case of remote access

all web passwords are compromised when your email password is, there isn't a point to discussing web passwords, we're talking about local passwords

so you only need a physical keylogger attached one time, okay, i completely understand

lmao you think asymmetric key sizes are the same as symmetric. A 2048 bit rsa key has (roughly) the strength of a 192 bit symmetric key. 768 bit rsa keys are easily broken with only a few million dollars worth of supercomputer but even a 60 bit password with a good key derivation function is reasonably secure, and 128 bit aes is overwhelmingly secure.

>Sounds like you're full of shit user
An rsa key is huge number which is the product of two prime numbers. Cracking the key is done by factoring the composite into the two secret primes. This is pretty easy to do to a 128 bit number on consumer hardware.
A symmetric key is just straight up a secret. You have nothing to work from, the only thing you can do is guess. Going through every 128 bit number in an exhaustive search takes a long, long time. Even with the entire planet's computational power you aren't doing it on geological time scales.

Strong user password in case of remote access.
That makes three passwords.

Four for your keepass database.

But more than that? Nah.

Although that said I do have more.

>I think I trust gpg plus git more
It's not that simplistic. There is lots of glue logic and interface impedance. I haven't followed it but there has at least one bug around that already. Keepass is more mature.

>You have nothing to work from
A human wrote the password. Realistically, you don't need to try every single value.

There's also a difference between a password fed into a good key derivation function and a straight key. A 60 bit key is easily cracked. A password with 60 bits of entropy fed through argon2 is secure enough that only state sponsored attacks are feasible, and it would cost a lot lot of money.

>Strong user password
Why? Unless you have some retarded policies like using "sudo", you don't have to worry about that.

>all web passwords are compromised when your email password is
That's why you use services like "protonmail" that require 2 or at least use 2 factor for the one with access to your accounts.

>so you only need a physical keylogger attached one time
At that point we can start discussing the possibility of physical torture. Just as likely.

>pass does a lot more, like firefox integration and otp plugins.
so unixy!

if you love powershell so much, stick to fucking windows

>if you love powershell so much, stick to fucking windows

or maybe you accept the future is now faggot. Windows does a lot of things right and linux is now just getting the userspace and kernel support for great things.

so how would you implement grep in your magical typed clusterfuck shell, smart guy? or sed? awk? wc?

But dad's house is my house

Attached: 0eb4b58d0b26f174b4bd4299c4c8befc.png (412x351, 82K)

you wouldn't? you'd implement a dbus interface exposing methods that you'd call into to get the exact information you need in a structure that doesn't require a fucking string manipulator. literally every other OS, mac and vindoos, does this and only DEs in linux really use it.

what does dbus have to do with, say, searching for a string in hundreds of files?

alright if you're not going to respond to my posts in a timely manner, fuck off

same 2bh, have a few diceware passwords for some stuff.
wrote them down as a last resort.

Add a keyfile that you never upload to the internet only pass between devices physically. Though it becomes pretty easy to guess what's the keyfile when the same file is on every drive you find.

You can get pretty autismo on security, so figure out what limitations are acceptable. Such as if someone breaks into your house with the sole objective to steal your passwords then all bets are off.

>If the world ends I won't be able to use my accounts.
It's still better, if you use the same password everywhere then you have loads of potential failure points. If you use different passwords but no manager then you're at risk of forgetting, or your passwords are weaker than they could be, or you have physical vulnerabilities from writing them down in an open notepad or notebook. If you use a password manager, or hell, manually encrypt your passwords yourself, or even create an algorithm that lets you generate your password in your head on the fly based on the site name. Then you have the least amount of potential failure points. Simple as that.

Attached: 91viddator.jpg (382x256, 51K)

Politics
And I didn't said to dispose, but to hidde more effectively. Dispose something can be use as destroying evidence and/or they can easily acuse you of obstruction of justice