pass - Random

Welcome to the Functional Programming Zulip Chat Archive. You can join the chat here.

Sridhar Ratnakumar

Torsten Schmits said:

why not use pass? works nice with firefox and chrome, is in nixpkgs, uses a git repo

I've decided to switch to pass.

TIL that pass is just a bash script: https://git.zx2c4.com/password-store/tree/src/password-store.sh

Torsten Schmits

yeah it's hardcore unix philosophy, and for my requirements it's just right

Joel McCracken

I have several issues with pass, but i love the idea in general

Joel McCracken

specifically, the site in the site/password pair is plaintext; I would vastly prefer it to be encrypted as well. hosting a public repo with your pass data is telling people precisely which sites you have an account with

Torsten Schmits

the site/username is commonly encoded in the file path

Sridhar Ratnakumar

Also, why would you host public git repo? I'd just put it in keybase private git (which is also encrypted) or github private repo.

Torsten Schmits

I'm storing it in my private gitlab on my server

Joel McCracken

Yeah i'm just saying that it exposes the names in plaintext; for example the author of propellor (apparently) keeps all his passwords in a single GPG file on a public git repo

Joel McCracken

the readme or instrucitons or whatever for pass say to use the site name in the filename.

Joel McCracken

(I dont remember where I read it, but I do remember specifically seeing it)

Torsten Schmits

but this also means that whoever manages to steal your pgp key has access to all your passwords!

Joel McCracken

anyway, it isnt like a HUGE issue; i could still see someone else using pass. but for me I just think its enough of an issue to look elsewhere

Torsten Schmits

there are tools for git that do encryption related tasks, I bet there's one for scrambling paths

Joel McCracken

i may have to look at that

Joel McCracken

(anyway, all i'm saying is that i wouldnt be surprised if someone out there had their pass directory hosted on github in a public repo, thus exposing all the sites they use. When a tool has a non-obvious weakness like this, people do end up missing things when using the tool at times...)

TheMatten

keepassxc is interesting from what I've tried - it has both GUI and CLI, supports autofill in browser through extension and works with db encrypted with master password

TheMatten

And I can combine it with KeePassDX on my phone, which too supports autofill

Sridhar Ratnakumar

How are passwords stored, and in what format, in KeePassXC?

Sridhar Ratnakumar

Where do you keep your private GPG key safe?

cf. https://security.stackexchange.com/questions/51771/where-do-you-store-your-personal-private-gpg-key

So, I want to start using pass, but I need a GPG key for this. This application will store all of my passwords, which means it's very important that I don't lose my private key, once generated. Hard
Sridhar Ratnakumar

Finally I switched to pass. NixOS instructions: https://www.srid.ca/pass.html