Password Management with a Difference: Part 1 Introducing the Pass Utility
The number of services that we have to access online seem to be growing by the day, especially in this day and age of social media. However, for us to comfortably exchange information with others, we have to be in control of our data, and key to that control is the password.
The subject of password management had been written a lot. If you are in doubt as to what it entails, consider reading this article on this blog this one, or that one as well among a dozen of articles on the web. The bottom line is that as you access lots of services, you have to generate different passwords for these services rather than using a single password. While this may be convenient for you and your memory, this may be a gateway to losing not only your secrets, but your reputation as well if one service is compromised. That single, easy-to-memorise password may help the digital trespasser to open other hidden treasure troves.
In this post, though, I am going to talk of a password management utility that I came across and considered to be unique in its management of your passwords: the Pass utility.
What it is?
The Pass utility is a tool that combines an already existing set of tools on the Unix-based platforms to create a password volt.
Rather than taking an approach of having a central server where users have to register to have their passwords remotely managed, with the Pass utility, you are in charge not only of generating your passwords, but where to store them. Some of the tools it uses include:
- GPG for generating your private and public keys;
- Git, for managing your local and remote repositories;
- The bash shell for accessing data on your filesystem and extensions.
Some terms I will be employing when discussing Pass are:
- A database for storing passwords, otherwise known as a volt by other password managers.
- An online or offline resource that can be accessed after one supplies his or her password. A service always creates privileges for those registered in a system and those who aren’t.
Getting Started with Pass
On any Linux distro, it is just a matter of getting it from the distro’s package repository. For instance, on Debian and its derivatives, A
sudo apt-get install pass
followed by your password, will have it installed to your system. otherwise, getting it from the source from its homepage will do.
The first step in using Pass is to create a Password Store on your system,which will be secured by your private key.
This means that you have to generate a key pair using GPG whose identity you would use to secure your store. This could be your email, or any string you will remember when unlocking your keys later on during creation and updates of your keys.
While the subject of key generation is important, for the purposes of brevity, we will cover it in another post on security.
Let us say, I decide to use my email as my key, it means that to set up a password store, I do the following:
pass init email@example.com
In this case, “firstname.lastname@example.org” is my key.
Running Pass this way will generate a new store that is by default
In the next instalment, we will be looking at how we can sync stores between devices, but for now, we assume we are getting started with a brand new Password store.
Managing your passwords
Now that we’ve set up the store, how do we manage our passwords? by “managing”, we refer to the process of
Creation of new passwords,
Updating existing passwords, and
Deleting redundant passwords.
The format for using the Pass utility is simple: simply invoke it using
passfollowed by the command name.
As we’ve already seen, in initialising a password store, we had to pass the “init” argument to the pass command and we had our new store.
The table below shows some of the commands you can evoke after typing “pass”:
|generate||To generate a new password|
|init||To set up a new password store|
|insert||To insert a new service into the store, along with an already existing password|
|mv||Rename keys in the store|
|rm||Delete a key from the store|
|git(*)||Wrapper to the git|
|edit||To edit a password key|
The git command is only a wrapper around git services, so you
must already have Git installed on your machine. Thus, a command
pass git push is only forwarding the
git push to the
Git. We will get into detail on working with Git in the next
So to insert a new service such as Twitter for example into the password store, whose password you
already have, type
pass insert Twittere
This will be followed by a prompt such as: “Enter new password for Twitter”. You have to type this password twice, first to enter it and second to confirm it.
After doing this, the new service will be added to the store and encrypted by your key. You will also see a message about a commit to Git repo if you initialised your store as a git repo.
However, in some cases, you may wish to generate a new password, say
during creation of an online service. You don’t want to bother
thinking of a clever password. In that case, the
generate command is
your friend. Simply type
pass generate Yahoo.com
Doing this will result in a new service called Yahoo.com added to the password store with a new randomly generated password. The length of such a password is determined by the name of the service. However, passing the number as the last argument will tell Pass how long your password should be.
The password generated is usually strong and long enough to pass for password challenges that are often conducted by services such as Lastpass.
However, if you do not like the mixture of special symbols and other
alphanumeric characters, you can pass the
no-symbols option to the
generate command like this:
pass generate --no-symbols Yahoo.com
Generating a password this way will have Pass briefly show you the new password. If you want it, for instance to enter it in the service you are dealing with, just type
pass -c Yahoo.com
-c argument says to copy the password to the clipboard.
As this is a risky activity (that of copying passwords to the clipboard), the Pass utility will clear the clipboard after sometime. By Default, it is 45 seconds after the copy operation.
Pass does not enforce a format for storing passwords: instead, what is important is that the first line in a file is a password. So you can store a lot of other details besides the password. Just type,
pass edit service
And add any details you wish. Just make sure that the first line is not touched as it contains your password.
In fact, you can even change your password in this file: just change the string on the first line, and your password is changed . To see all your keys in the Password Store, just type “pass” without any arguments.
The Pass utility is a password manager that has a different approach of how one can handle their data. However, it may seem to be cumbersome at first, until you understand how convenient it is to be in charge of your data.
In the next instalment we will be looking at syncing your passwords between your devices. We will also be talking about other interesting extensions that make the business of working with passwords a child’s play, along with sharing some security tips of working with passwords.
Until then, thanks for reading this post and good luck with your password management!