Andrea Veri's Blog Me, myself and I

Manage passwords with ‘pass’

Fighting with passwords have always been one of my favorite battles in the past and unfortunately the former always won. I never liked using the root user that much for administering a machine and made a massive use of sudo, I won’t list all the benefits of using sudo, but the following wiki page has a pretty nice overview of them.

Said that, when using sudo it’s definitely ideal to combine a strong password that is also easy to remember and type again when prompted. Sadly strong passwords that are also easy to remember can be considered an oxymoron. How hard would it be to recall a 30+ chars long password? Honestly that would be close to impossible for an human being but what if a little software available on the major GNU/Linux distributions could handle that for us? That’s where pass comes handy, but what is pass? from the pass manpage itself:

pass is a very simple password store that keeps passwords inside gpg2(1) encrypted files inside a simple directory tree residing at ~/.password-store. The pass utility provides a series of commands for manipulating the password store, allowing the user to add, remove, edit, synchronize, generate, and manipulate passwords.

I’m sure that a lot of you guys have been looking for a tool like this one for ages: pass allows you to generate very strong passwords with pwgen, GPG encrypt them with your GPG Key, store them safely on your disk and make them available whenever you need them with a single command. But let’s move to the practice, give the following steps a try and enjoy how powerful your pass setup will be.

First setup

Install the software:

yum/apt-get install pass

Generate a GPG Key if you don’t have one already, a detailed guide can be found here. Initialize your passwords storage. (GPGKEYID can be retrieved by running gpg –list-keys and then looking for a line similar to this one: pub 4096R/B3A6223D 2012-06-25)

pass init GPGKEYID

Generate your first password and call it ‘sudo_password’ given you are going to make use of it as your brand new sudo password. (we want it at least 30+ chars long)

pass generate sudo_password 30

(Optional) Create as much passwords as you need and make sure to save them with unique names, that way you will be able to identify what a password is used for easily.

pass generate gmail_password 30

Additional maintenance commands on your password database

Look at the existing passwords on your database.

pass ls


Password Store
├── gmail_password
├── sudo_password
└── root_password

Manually edit a password.

pass edit password_name

Remove a password from your database.

pass rm password_name

Copy a password on your clipboard and paste it.

pass -c password_name

Are you wondering if pass supports a VCS? Yeah, it does, it currently allows you to manage your passwords database with Git, so that each applied change to the database will be tracked through a VCS so that you won’t forget when and how you updated a specific password.