Pass - The Standard Unix Password Manager
Вставка
- Опубліковано 27 сер 2024
- Looking for a small yet powerful password manager that has plugins for most web browsers and builtin dmenu support? Look no further! And this password manager adheres to the Unix Philosophy.
📰 REFERENCED:
www.passwordst...
wiki.archlinux...
💰 WANT TO SUPPORT THE CHANNEL?
Patreon: / distrotube
Paypal: www.paypal.com...
👕 BUY SHIRTS AND MUGS:
Help support this channel by purchasing these fine t-shirts, hoodies and mugs.
teespring.com/...
🗨️ SOCIAL PLATFORMS:
Diaspora: diasp.org/peop...
Mastodon: mastodon.techn...
IRC: irc://freenode #distrotube
GOPHER: gopher://distro.tube
📁 MY CONFIGS:
GitLab: gitlab.com/dwt1
Your support is very much appreciated. Thanks, guys!
I were skeptical about you when i first saw your videos pop up. but i really enjoy your videos now. they are very informative and you really know what you are talking about.
Yeah, same here. I do watch some other Linux content creators, but DT is really knowledgeable and really breaks it down for us newbs.
For generating a strong memorable master password diceware is a nice technique. And the whole point of using a password manager is to let it generate random passwords for you. So use `pass generate` instead of `pass insert`.
This has a lot of sense. Thanks.
exactly i really feel like he didn't cover enough for pass
just use your dogs name as a password, no one will ever guess it
The best part is definitely the Unix aspect of it. I mean think about what secrets you can store in there and then pipe to other commands. Like SSH keys or TOTP secrets that are then fed to the respective tool that connects to a service or generates some token. 🤔
why would you encrypt your ssh key with gpg? it already does that if you make it use a passphrase
I've been using pass the last couple of months and it works well for me. I like the fact that you can store a lot of information other than just passwords per 'node' and it also has a nice optional gui in the form of qtpass that I use alongside the terminal app. The fact that you are fully in control and don't depend on third parties' cloud solutions also appeals to me!
I always feel like your microphone audio is a little de-synced from your video. Can't complain too much, your videos are already at such a great standard. Keep up the good work!
Yeah, feels like the audio is delayed a few miliseconds or something
A password manager that adheres to the Unix philosophy.
Veeery interesting. I'm generally interested in terminal already. The ability to do any command at any time by just popping it up with a key bind. Exciting
I changed some passwords just today, I use the same pass to avoid forget them for many sites. I was thinking to use different ones but saving them in a text file (security level - 100). The timing of the video is scary XD. Awesome information.
Solid content from beginning to end, the reason why I love this channel. 👍 👍
Calling it 'solid content' is like a reviewer referring to something as a 'great product'. We know it's fake.
Joshua Josephson Wrong. I meant every word sincerely.
Joshua Josephson do you mean my opinion is fake, or that the video’s content is fake? 😂 😂 it’s all real, bro!!
@@mitchelvalentino1569 So did I. So what was your favorite part of the 'solid content'?
Joshua Josephson I didn’t have a favorite part. I liked the entire video. I like the overall presentation of information. The content is not too vague as to be useless, yet it’s detailed enough to be very useful. I am fond of traditional Unix tools and Unix philosophy, as well. I enjoyed the video from beginning to end and wanted to voice my support. Did you also enjoy the video?
That is the power of FOSS in action. I didn't know about PASS. :)
The good thing about pass is that it re-uses gnupg. If you've already setup gpg-agent, all your ssh keys can be stored in there too.
Alternatively, keepassxc is pretty good including support for passwords, TOTPs and ssh-keys.
I like keepassxc because it is available on mobile devices and every other platform that I use. I keep the database in the cloud so they are all synched. I do not keep the key file in the cloud, that is only copied locally via usb thumbdrive.
Thanks for another very useful tutorial, Derek. Love to see this stuff (whether I use it or not).
I use pass for quite a while now. I've combined it with Tor and Git. I use a RaspberryPi with SSH available over an Onion Service. Limit the accessibility with HiddenServiceAuthorizeClient on the Server. Then you are able to use the "torify"-command to push and pull your passwords over Tor.
Can you make a video?😁😅
Congratulations on 30k subscribers!!!
Thanks for showing us pass. I have been using keepassxc along with the browser extension, but this option looks pretty cool too.
Edit: For users of rofi , there is an alternative to passmenu that you can use with rofi called rofi-pass.
You don't have to gpg -d the password, if you do pass the pinentry program will prompt you for your password at that point
What about a separate video on GPG?
Crikey, I'd forgotten all about the *pass* utility! Now I'm tempted to give it a go and wean myself off the google psssword manager ☺
At around 10:40 and on you imply your the passphrase you enter for `pass` is different from your GPG passprhase and that GPG can be used as a backup if you forget your passphrase. This is not true; pass is just a wrapper around the same gpg command you were running to decrypt the file. Look at the source, its just a shell script. If you forget that passphrase you create for your GPG key, you lose your data, period.
> If you forget that passphrase you create for your GPG key, you lose your data, period.
I stand corrected. I guess I better remember that passphrase. Digging around on the web, if you lose your passphrase...your options are extremely limited. I guess you could try to brute force the passphrase (would take alot of computational power and alot of time) . Probably not a viable solution for most people though.
@@DistroTube > if you lose your passphrase...your options are extremely limited
Well certainly; you don't want a lot of options for recovery. A good lock only opens with the one key :P. Which speaking of keys, that's the other thing you need to be sure you keep safe. If you forget your passphrase OR lose that GPG secret key, you can't get in. Its best to keep that GPG secret key on a backup flash drive stored in a safe somewhere. If that flash drive gets stolen, they'll still need your passphrase and your .gpg files from your computer to be able to steal your passwords.
What? You are on your period. ;) You could output the decrypted key into another file and save it in plain text but that would defeat the purpose. Your only viable chance is the recovery method provided by the host of the website, Facebook, Twatter ...
@@Jaywalker9988 "Well certainly; you don't want a lot of options for recovery. A good lock only opens with the one key :P." You are such a generic wise ass. :P
I have a set of rules to create a password for each website/service. You basically just need to encode the site's name in some manner. I have 3 digits space reserved for the time of the password so I can change it regularly. They are all 17 digits in length, but if I like I can easily extend them to 20+. I can also write down "hints" on those passwords in plain texts, as long as I don't tell anyone else the rules, the hints won't leak anything. They won't be as random as those created by random password generators, but using some mixing of capitals, numbers, symbols, they look pretty obfuscated.
your channel is gold
Tried them all, Bitwarden by far the best.
Thanks a lot, it helps! I always looking for Linux stuff tutorials on your channel first!
Thanks for the video. I'm trying out pass now. One thing though: you shouldn't init the password manager with your private key. You should encrypt with the public key, private key is only for decrypting. It won't really matter if you only use pass on your one machine, but if you choose to push your password onto onto some server for syncing with other computers, you don't want to have your private key tied into your password store.
Lol im here only to comment that DT was wrong about LastPass. It did get hacked. Love you DT •3
i have been a 1Password user for quite some time but i'm really surprised at how many of its features are available in a pass-based environment. i'll try it out for a week and see if it works well as a complete alternative
So if I use the dmenu approach, I doesnt even need Pass? just encrypt my facebook password with gpg, and then use a simple sh script to decrypt the password and copy to clipboard?
KeePass remembers not only passwords but logins and notes too. It can generate long and complex passwords so you shoudn't have to.
@bigpod, The reason that the hackers got nothing is that Lastpass encrypts the password vault locally using 256-bit AES encryption BEFORE uploading to their servers. They claim to have no way to recover an account with a lost master password as they have no access to any decrypted password vaults. If you are going to trust a third party to help manage your passwords that is the best way I know of to ensure security.
I created the store;
Password Store
|__facebook.com
|__PASSWORDS
|__twitter.com
I can't seem to be able to delete everything under the 'Password Store'. all commands from this lecture don't work for some reason. Does anybody know why?
can we please have a video on how to setup pass over git on a server to sync them with android-password-store
Good video, but I'll stick with KeePassXC.
especially since it has a command line version if you really need to script it
I use gopass,which is a pass-compatible program written in go, but organizes things into a hierarchy and offers some ncurses dialogues. Can use the same repo/password-store pass uses. It's not a GUI app at all, unlike what that website said.
What if my os crashes, and i don't have any recoveries? Will i loose all the passwords forever?
I can finally get rid of all my yellow post-its from my monitor edges!
nah...green post-its are safer i'll keep using it .It's simple and safe
@@palamidagheo4520 And more ECO. Greta will be pleased.
That is why LastPass or 1Password or similar services are demanded. I have multiple PCs which I have to use daily plus smartphone, and I also have to share some passwords with my wife (shopping sites, etc.). With "pass" you cannot do it.
Awesome, I really need this tutorial cuz I was confused on how to make that App work.
im pretty sure that the most popular password manager is Excel.
4:48 ; assuming gnome pg page is installed. I'm a beginner and I don't think I have it installed, can you tell me please how to install it?
yum install not working.
No package pass available.
Error: Nothing to do
what to do now?
So it is possible to store Pass data on a few Linux machines so you dont have to just use the one machine all the time for your passwords? Great video many thanks.
Check out "gopass", which is like pass on steroids, but backwards compatible. Supports team/key management & syncing with a git repository.
@@christianmuehlhaeuser2922 Thank you.
Awesome video, subscribed!
Also, I have a windows and a linux PC. I have successfully installed in Linux mint, but does pass have to be installed in windows too before you can use the passff plugin in firefox?
Its scary when you build your password store in QtPass on Windows using the GUI and years later you start using Linux and want to re-ecntypt your password-store with a new gpg key this time using the teminal hahaha.
Best practice is a good backup of your password-store.
How do I "clone" the pass store onto another device? Do I need to init with the same GPG key?
Just copy .password-store and .gnupg to another device.
How many times did you say gpg key in this video? 😂
i use gpg command to encrypt all my password files symmetrically and copy paste the password from the terminal to the web browser
now i need to figure out how to auto-clear my clipboard memory after i pasted the password onto the web browser
@@maverickmadison7392 There are CLI commands to modify the clipboard in all major platforms -- xclip/pbcopy/clip. Just have a script that runs that with dummy data few seconds after you copy.
'ed' is the standard UNIX password manager!
CRISPR is the standard editor!
password.txt is a great password manager that is encrypted using utf-8 method
Well, good explained. I'm not scared but it seems to be complicated for me 😅
It is not convenient to use it like that, every time i go to a site i shoud type my master password for autofill?
I like that pass command and I'll be using it also.
PASS IS THE STANDARD PASSWORD MANAGER!!!!!!!
Great presentation of gpg. I have one question, say you have a bank accounts, more than one account with the same bank, how would set this up? I would assume you would use the insert command with -m function. Could give me an example of this procedure? Thanks, keep up the great youtube work
What about mac os, windows, android, osx, autofill, touch id, paste through clipboard but secure, password generator, passwords check on getpwned, auto-Type to be protected against keyloggers.
Hey dt, a video idea: Chakra vs Kaos (review), they both are kinda similar but quite different, they are arch based, but not reeeally. I myself dont understand it?
Also Antix seems to be interesting
Attention!! You don't have to list the gpg key id, copy then paste to pass init. Instead, use the real name that you gave while creating the gpg key.
Example: pass init ""
@distrotube would it be possible to share you powerline config files for your terminal. still havent able to get right justified segments
Bitwarden is the open source way to go.
I like using Master Password on my phone. It’s recommended by the privacytools.io website.
Yes, master password is a great tool also to generate more secure password and it doesn't store your password, instead it generate your pass based on their algorithm. That means you can use MPW through mobile app, web app, command line and OS installed app without the need to sync with any external storage/source/service. The thing I found handy with pass, as explained in this vid, is that you can also store your MPW generated password in your password store then use plugins to auto-fill it like the FF one he shown.
When creating a password I get the error message :
gpg: DEE04C3123456789: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
It looks like pass does not find the local gpg key. What can be the reason for this?
Be sure that your key can be used for encryption and not only for signing.
@DistroTube any chance you could do a video on how to setup pass with a remote store using git so that passwords can be accessed from anywhere on the internet?
If you're using Ubuntu or MInt, don't install "pass" from the repositories because it's outdated version 1.7.1 (released in 2017-04-13). The latest version is 1.7.3 (released in 2018-08-03). I read in Wikipedia that "In June 2018, pass was found to be vulnerable to a variant of the SigSpoof attack. The issue was patched the same day that the vulnerability was disclosed."
Visit the official "pass" website and download the tarball. Trust me, it will be the easiest tarball you'll ever install in life. In fact, it was the shortest INSTALL file I've ever read. "sudo make install" and you're done.
you're wrong about people who use lastpass being hosed if lastpass was ever compromised. Lastpass does not have access to the unencrypted passwords of their users. It has aactually been hacked before and none of the passwords were revealed.
You don't need GPG key. you can email too. I have question, how do i increase the 45 seconds expiration.
Anybody have any luck setting this up for an Iphone ?
Specifically github authentication, gpg/pgp keys ?
Does anyone know if pass can store passwords together with the username like lastpass? Might actually consider switching over then.
It certainly can. There are several ways of doing it: Storing it in the file name, such as `pass -c Internet/you@facebook.com`, or if you prefer better privacy you can just run `pass edit` and it will open the file in your $EDITOR. From there you can add a new line under your password like "login: yourUsername" or for any other meta information you like. Check out the "Data Organization" section on the pass website (www.passwordstore.org/)
@@Jaywalker9988 Thanks a lot! That sounds very convincing. I'll most likely wave Lastpass goodbye then. Do you know if it is possible to just sync the password folder with syncthing between your devices?
@@Jaywalker9988
hi there, under keepassxc im able to store not only text information, but also files (e.g. an odt file) in the encrypted container. would that be possible with pass too?
Abraham Kornfeld never really considered using pass for that because I just use the raw gpg commands that pass is wrapping for that, so you certainly could do that and use your pass gpg key. It’d also be fairly trivial to add in something like ‘pass file yourfile.odt’ since pass is just a shell script
@@AtomToast You can use git with pass to sync your passwords to a github or private git repo and sync that. You'll need to manually ensure all devices have the GPG private key to ensure each device can decrypt the files
Hey DT, do you have any job advice for people with no exp in anything?
Get experience in the field you want to go in, then do some volunteer work to get some work experience for your resume
@@clocked0 Any ideas on volunteer work for someone trying to get into linux sysadmin-ing?
Is it better than Bitwarden??
Obrigado! Thanks in protuguese!
What options does it have for cloud sync?
so what if you forgot your master password? 10:33 - 10:43
FIRST!
Also, I think Pass is a really nice thing to keep passwords in your own management but I kinda miss a "cloud" solution because great, now I have ridiculously strong passwords I have to type by hand on my phone :c
um...you DO know how to copy-paste on your phone?
@@jan_harald Yes, but goodluck using the password from my desktop's store on it XD
I know I could use something like Resilio sync but that feels quite hacky.
@@FinlayDaG33k Syncthing's an app that can sync a ton of different ways, including rsync, and google drive and dropbox and such as well, iirc, not certain since been a while last I checked...
@@jan_harald Which is exactly what I meant with "feels kinda hacky".
Now I have to setup (and maintain) another piece of software to sync it.
Again, something like a self-hosted/cloud thingy would be dope.
There is an android app that can clone your pass repo and allow you to copy/paste and even autofill passwords
can i download that if i use windows ?
Shame you didn't talk about the git functionality of pass. Makes it a breeze to sync between devices.
I mean for regular computers, manually syncing is probably fine, but git allows me to sync on my phone with an app designed for pass.
Which app?
I'm a beginner in linux mint, but I found your video AMAZING!!! (best one online so far). I was not successful to get the command for if you forget your gpg master password how would you recover it. What would be the command? I tried ' gpg -d 826B0FD3C947AF26' but that did not work.
You can't. GPG doesn't have a 'recover password' functionality. The only thing you can do at that point is revoke the key if you generated a revokation certificate while you remembeted the password.
What I heard was like 100x times Gee Pee Gee key :D
What the fuck, this thing doesn't work at all. It just keeps giving me "No entries matching this URL." bullshit.
missed opportunity. they should have called passmenu pwdmenu.
Wow. I love the keyboard wallpaper. Fantastic vid, BTW. Still does not sway me to use a computer connected to the internet to store my passwords, though. I like to use pen and paper. Is there something that can sway me, though?
We all know DT's password is dt
What if i forget my master password ?
Don't do that.
@@DistroTube xD
You don't have to remember the password. Think of a password that you'll be able to recreate. For example: 75-DC364hp? "} wich translates to 1975 (birth year), DC - DODGE CHARGER, 364hp - horse power and 3 keys diagonally next to the enter key.
@@GreyDeathVaccine Yeah, or write it somewhere hidden in plain sight. Like, write some phrase as plain-text with some other random phrases, pretending to be poetry or something. Phrases are easiest to remember anyway.
Thanks, I'll pass
First comment!!!!!!
Congrats!
Can I have your pass? XD
ffs, just use lastpass
sed -i 's/dmenu/fzf/' ~/bin/passmenu
BitWarden is opennsource.
followed the instructions. followed the firefox plugin steps as written on the website and it was confusing. It bricked my laptop. Fresh install of Mint 4.2 and forget about these complicated softwares. Never again. It's the frustrating downside to linux. I'm not a programmer and I cant stand the guys who just fly through this stuff in a tutorial like its no big deal. When you closed your terminal all of a sudden you lost me because there was other stuff on there with further instructions that left me confused. I was pissed and still am. Thanks but no thanks.
You being so ginger about showing Your real passwords, was it live stream? You could change them afterwards, oh so secret passwords, bit cringy ;-
You can just type "gpg --list-keys" and you'll see your keys.
BitWarden is opennsource.