Password managers are programs that we are forced to deal with every day. There is no doubt how important they are given the digital world we live in.
The question is, are they secure enough? When news of data breaches are becoming more and more frequent, it is a question we should take very seriously.
This article will explore a simple but efficient solution to this problem, a password manager designed to be used from the terminal, password-store better known as pass.
Setting up pass
The enormous flexibility of pass is evident from the installation process itself. Besides being available on a wide range of platforms, pass also offers various installation methods.
Setting up pass using your OS default package manager.
This is possibly the most convenient installation method for those who want to start using pass as soon as possible.
- PROS: fast and hassle-free.
- CONS: somewhat less flexible in terms of customization; also, the pass version may not be the latest.
Ubuntu, Debian, and other Debian or Ubuntu-based distros
$ sudo apt-get install passFedora, RHEL, CentOS, or other RHEL-based distros
$ sudo yum install passopenSUSE and other openSUSE distros
$ sudo zypper in password-storeGentoo
# emerge -av passArch, Manjaro, and other Arch-based distros
$ pacman -S passmacOS
$ brew install passPlease note that you will need to install the Homebrew package manager beforehand.
FreeBSD, DragonFlyBSD, and other FreeBSD-based distros
# portmaster -d sysutils/password-storeBuilding pass from the source
The second installation method is a bit more advanced as it requires building the package from the source.
- PROS: besides getting the latest version, you can change the default location to suit your needs.
- CONS: you will need to manually update the password-store CLI by building from source when required.
1. Download the latest version of pass from the author’s website. At the time of writing, the latest version is password-store-1.7.3 and is available in both zip and tar.xz format. Alternatively, you can clone the password-store Git repository to an appropriate folder.
2. Assuming you downloaded the file, open a terminal and browse to its location. In case you have chosen to clone the repository, skip this step.
Decompress the file using the appropriate method.
For zip files, run the following command from the location of the compressed file:
$ unzip password-store-1.7.3.zipFor tar.xz archives, run the following command from the archive location:
$ tar -xvf unzip password-store-1.7.3.tar.xz3. Navigate to the newly created directory, in this case, password-store-1.7.3:
$ cd password-store-1.7.34. Run the make command to build pass in its default location:
make install
Note that to build files from the source, you must have the necessary dependencies installed first. In case you want to change the standard password-store location, you can do it by modifying the environment variables inside the makefile.
Initializing pass
At this point, you should already have password-store installed; however, before you can start using it you will need to initialize it. In that regard, it is mandatory to use a GPG key ID to encrypt the passwords.
Generate a new gpg-id (in case you don’t have one). Refer to your distribution documentation if necessary.
Initialize your password-store by executing the following command:
$ pass init <gpg-id>Remember to replace gpg-id with the appropriate value (your GPG key).
The hidden directory .password-store will be created, and pass will be ready for use. However, this procedure somewhat limits the possibility of automatic backups and the advantage of having a versioning control system to correct errors when creating passwords.
Fortunately, pass has a workaround that consists of initializing the password-store as a git repository. To do this, all you have to do is reinitialize pass and configure the repository in which the passwords will be stored.
$ pass git init && pass git remote add origin <repository-name>Once a git directory is initialized inside the password-store, a git commit will be created each time the contents of the directory change. Changes can be synchronized with the remote repository by simply using:
$ pass git push -u --allManaging and using pass
Using pass is extremely intuitive. However, before you can start enjoying all the benefits of this wonderful password manager, you must decide how to organize your passwords.
Managing password-store metadata
Let’s start by talking a bit about how you can store and organize information with pass. In this sense, it is important to emphasize that pass does not impose any particular methodology. This opens up the possibility of different strategies for managing your sensitive data. Some of them are listed below.
Organize sensitive information into separate folders. In this scheme, each piece of information is stored individually in different folders/files, for example:
Password Store
└── Banks
├─── Bank1
│ ├─── password.gpg
│ ├─── secret1.gpg
│ └─── secret2.gpg
└─── Bank2
├─── password.gpg
├─── secret1.gpg
└─── secret2.gpg
Although this is an intuitive way to organize the information, it has the disadvantage that you will have to create each entry separately. This leads us to the following schema, which takes advantage of the Multi-line functionality of pass.
Organize sensitive data using multi-line entries. This scheme is similar to that used by many graphical password managers and consists of creating an individual entry containing different types of information.
Password Store
└── Banks
├─── Bank1.gpg
└─── Bank2.gpg
Although it is not visible in the figure, each of the entries (Bank1.gpg and Bank2.gpg) consists of multiple lines, each with different information types. The standard, as well as the multi-line functionality, will be explained in detail in the next section.
Custom metadata schema. Given the flexibility offered by pass, nothing stops you from implementing a customized schema for storing your sensitive data. In fact, nothing prevents you from combining and using different schemas according to your needs.
Password Store
└── Banks
├── Bank1
│ ├── password.gpg
│ ├── secret1.gpg
│ └── secret2.gpg
├── Bank2.gpg
└── Bank3
├── password.gpg
├── secret1.gpg
└── secret2.gpg
Now that you have a general idea of how you can manage the information in pass, it’s time to get into how to get the most out of it on a day-to-day basis.
Using pass
Up to this point, you have learned how to install the password-store, how to initialize it, and the different schemes you can use to manage your data. It is time to learn its basic functionality, i.e., how to create, modify, and delete entries, generate secure passwords, and use pass by copying information to the clipboard.
Creating a new pass entry. In the previous section, we mentioned the ability of pass to create single or multi-line entries. In both cases, the creation of such entries is done using the insert command.
To create one-line entries, you can use the following command:
$ pass insert <entry name>Creating a multi-line entry is done through the [ –multiline, -m ] argument.
$ pass insert -m <entry name>This will allow you to add as many lines of information as you wish. Once you are ready, just press Ctrl+D to save your entry.
In both cases, you can create folders by including the desired path.
$ pass insert -m <path/to/entry/entry-name>Remember the example from the previous section? To create one of those entries, all you have to do is:
$ pass insert Banks/Bank3Listing and displaying entries. Once your password storage grows, it will become common to list your passwords for later use. This can be accomplished by executing two commands shown below:
$ pass ls subfolderThis command displays all your entries, or if you use the subfolder argument, the entries in that directory. For your convenience, pass displays these entries using the program tree.
To display (or copy) the information for an entry you can run the command:
$ pass show [ --clip[=line-number], -c[line-number] ] [--qrcode[=line-number], -q[line-number] ] pass-name Let’s take a closer look at the arguments and options of this command.
[ –clip[=line-number], -c[line-number] ] If you use the show command together with this argument, instead of displaying on the console the entry, the first line (or the specified line) will be copied to the clipboard.
–qrcode[=line-number], -q[line-number] ] Similarly, if you use the show command together with this argument, then instead of displaying the entry, the specified QR code of the specified line will be displayed (in the terminal or in the GUI).
Modifying entries (editing entries). It is common to make mistakes when entering a new entry; that is why pass has two handy commands to modify it. Below, we explain how to use these commands.
On the one hand, we have pass mv, which modifies the name or path of the entry but does not change the content of the entry. Its general use is:
$ pass mv [ --force, -f ] old-path new-pathOn the other hand, we have the pass edit command, which allows you to change the content of an entry but not to modify its path or name.
$ pass edit pass-nameIt is important to note that this command invokes the text editor specified by the environment variable EDITOR.
Deleting entries. In those cases where you simply want to delete an entry, all you have to do is using the following command:
$ pass rm [ --recursive, -r ] [ --force, -f ] pass-nameGenerating secure passwords. You can generate secure passwords via /dev/urandom. In this case, pass will take into account several arguments shown below:
$ pass generate [ --no-symbols, -n ] [ --clip, -c ] [ --in-place, -i | --force, -f ] pass-name [pass-length]Once again, we need to review each part of the command in detail.
[ –no-symbols, -n ] As you might suspect, this argument causes pass to only use alphanumeric characters when generating the password.
[ –clip, -c ] As with the show command, this argument prevents the password from being displayed and instead copies it to the clipboard.
[ –in-place, -i | –force, -f ] This argument causes pass to replace the first line of the entry with the generated password without modifying the rest of the entry.
[ pass-length] Specifies the length of the password to be generated.
Copying entries/folders. You may find it useful to copy entire entries or directories to a new location in some cases. To do this, you should use the cp (copy) command.
$ pass cp [ --force, -f ] old-path new-pathIn case you use the -f (force) option, the existing entry will be rewritten if there is one.
In all of the above cases, pass will re-encrypt entries that are copied, modified, or altered in any way.
If you require more information regarding these commands, we invite you to review the pass man page.
Extending pass functionality
Although pass is extremely versatile and customizable, it can extend its functionality through extensions and GUI clients.
Pass extensions
The active community that revolves around pass has created several extensions which you can download from the author’s website. To activate any of these extensions, all you have to do is place them in the directory where pass is installed, which by default is /usr/lib/password-store/extensions. If that location doesn’t suit you, you can change it using the environmental variable PASSWORD_STORE_EXTENSIONS_DIR.
Pass compatible clients
While one of the main attractions of pass has to do with its simple, terminal-based nature, you may prefer another type of environment, specifically a graphical one. If that is the case, you will be pleased to know that the community has also developed several compatible clients with pass.
These clients range from dmenu scripts to cross-platform GUI clients and even Alfred integrations. For a complete list of pass compatible clients, you can go to the project page.
Migrating from LastPass and other password managers
LastPass recently announced a radical change in its plan scheme, which introduced serious limitations to the functionality of the free plan. However, you have nothing to worry about. What better than the versatility of pass to deal with this situation?
You may be hesitant to make such a change, as you would have to re-enter all your passwords in pass. If that’s the only thing holding you back, we have great news for you. There are a number of community contributions that will make this task as simple as running a script!
Returning to the case of LastPass, should you wish to migrate your data to pass, all you have to do is open your Vault and turn your attention to the bottom left corner and click on “Advanced Options.”
This will open an additional panel on your left, where you should locate the “Export” option, as shown in the image below.
This will download all passwords, secure notes, addresses, and other information stored in LastPass into a file called lastpass_export.csv.
The next step is to download the LastPass script (lastpass2pass.rb) from the pass author’s website. This is a script written in Ruby that you can run from the terminal to migrate all your information to pass automatically!
For more information on how to run scripts written in Ruby or Python, please refer to your OS documentation.