Password Management with a Difference: Part 1 Introducing the Pass Utility

The number of services that we have to access online seem to be growing by the day, especially in this day and age of social media. However, for us to comfortably exchange information with others, we have to be in control of our data, and key to that control is the password.

The subject of password management had been written a lot. If you are in doubt as to what it entails, consider reading this article on this blog this one, or that one as well among a dozen of articles on the web. The bottom line is that as you access lots of services, you have to generate different passwords for these services rather than using a single password. While this may be convenient for you and your memory, this may be a gateway to losing not only your secrets, but your reputation as well if one service is compromised. That single, easy-to-memorise password may help the digital trespasser to open other hidden treasure troves.

In this post, though, I am going to talk of a password management utility that I came across and considered to be unique in its management of your passwords: the Pass utility.

What it is?

The Pass utility is a tool that combines an already existing set of tools on the Unix-based platforms to create a password volt.

Rather than taking an approach of having a central server where users have to register to have their passwords remotely managed, with the Pass utility, you are in charge not only of generating your passwords, but where to store them. Some of the tools it uses include:

  • GPG for generating your private and public keys;
  • Git, for managing your local and remote repositories;
  • The bash shell for accessing data on your filesystem and extensions.

Some terms I will be employing when discussing Pass are:

A database for storing passwords, otherwise known as a volt by other password managers.
An online or offline resource that can be accessed after one supplies his or her password. A service always creates privileges for those registered in a system and those who aren’t.

Getting Started with Pass

On any Linux distro, it is just a matter of getting it from the distro’s package repository. For instance, on Debian and its derivatives, A

sudo apt-get install pass

followed by your password, will have it installed to your system. otherwise, getting it from the source from its homepage will do.

The first step in using Pass is to create a Password Store on your system,which will be secured by your private key.

This means that you have to generate a key pair using GPG whose identity you would use to secure your store. This could be your email, or any string you will remember when unlocking your keys later on during creation and updates of your keys.

While the subject of key generation is important, for the purposes of brevity, we will cover it in another post on security.

Let us say, I decide to use my email as my key, it means that to set up a password store, I do the following:

pass init

In this case, “” is my key.

Running Pass this way will generate a new store that is by default kept in ~/.pass-store.

In the next instalment, we will be looking at how we can sync stores between devices, but for now, we assume we are getting started with a brand new Password store.

Managing your passwords

Now that we’ve set up the store, how do we manage our passwords? by “managing”, we refer to the process of

  • Creation of new passwords,

  • Storing them,

  • Updating existing passwords, and

  • Deleting redundant passwords.

    The format for using the Pass utility is simple: simply invoke it using pass followed by the command name.

    As we’ve already seen, in initialising a password store, we had to pass the “init” argument to the pass command and we had our new store.

    The table below shows some of the commands you can evoke after typing “pass”:

generateTo generate a new password
initTo set up a new password store
insertTo insert a new service into the store, along with an already existing password
mvRename keys in the store
rmDelete a key from the store
git(*)Wrapper to the git
editTo edit a password key


The git command is only a wrapper around git services, so you must already have Git installed on your machine. Thus, a command such as pass git push is only forwarding the git push to the Git. We will get into detail on working with Git in the next post.

So to insert a new service such as Twitter  for example into the password store, whose password you

already have, type

pass insert Twittere

This will be followed by a prompt such as: “Enter new password for Twitter”. You have to type this password twice, first to enter it and second to confirm it.

After doing this, the new service will be added to the store and encrypted by your key. You will also see a message about a commit to Git repo if you initialised your store as a git repo.

However, in some cases, you may wish to generate a new password, say during creation of an online service. You don’t want to bother thinking of a clever password. In that case, the generate command is your friend. Simply type

pass generate

Doing this will result in a new service called added to the password store with a new randomly generated password. The length of such a password is determined by the name of the service. However, passing the number as the last argument will tell Pass how long your password should be.

The password generated is usually strong and long enough to pass for password challenges that are often conducted by services such as Lastpass.

However, if you do not like the mixture of special symbols and other alphanumeric characters, you can pass the no-symbols option to the generate command like this:

pass generate --no-symbols

Generating a password this way will have Pass briefly show you the new password. If you want it, for instance to enter it in the service you are dealing with, just type

pass -c

the -c argument says to copy the password to the clipboard.

As this is a risky activity (that of copying passwords to the clipboard), the Pass utility will clear the clipboard after sometime. By Default, it is 45 seconds after the copy operation.

Pass does not enforce a format for storing passwords: instead, what is important is that the first line in a file is a password. So you can store a lot of other details besides the password. Just type,

pass edit service

And add any details you wish. Just make sure that the first line is not touched as it contains your password.

In fact, you can even change your password in this file: just change the string on the first line, and your password is changed . To see all your keys in the Password Store, just type “pass” without any arguments.


The Pass utility is a password manager that has a different approach of how one can handle their data. However, it may seem to be cumbersome at first, until you understand how convenient it is to be in charge of your data.

In the next instalment we will be looking at syncing your passwords between your devices. We will also be talking about other interesting extensions that make the business of working with passwords a child’s play, along with sharing some security tips of working with passwords.

Until then, thanks for reading this post and good luck with your password management!

Ishe Chinyoka
Ishe Chinyoka
Access Technology Instructor

My research interests include operating systems, access technology, programming, and science fiction.