password management

pass is my password manager. It satisfies what I want with it: to store passwords. But it also has some great features that I use daily. pass creates an encrypted text file for each password, meaning that I can treat that as a simple text file, and write some useful information like my username or account email, or those questions and answers that I never take seriously. The only line that I shouldn't touch is the first one, where the password itself is.

generate or insert a password

Basically, the workflow I have is this: I find a new website called, and I want to register there. So I complete the form with all my precious personal information until I get to the password input. Here I use pass like this:

$ pass generate
[master 525c5ed] Add generated password for
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644
The generated password for is:

That generates a new random password with the default settings. But I can tweak the defaults depending on the site's requirements. For example, if the password can't have any symbols, there's the -n option; if the password needs to be a certain length, there's the second positional argument, which is length, the first one being the password name ( in this case). So running:

pass generate -nc 5
An entry already exists for Overwrite it? [y/N] y
[master 61bhcf3] Add generated password for
 1 file changed, 0 insertions(+), 0 deletions(-)
Copied to clipboard. Will clear in 45 seconds.

I added -c there so instead of printing the password to stdout, it stores it on my clipboard. The password generated was this: Qu7ek. So no symbols, and 5 characters long. And as you can see, it prompts with y/n when the password already exists.

If I already have an existing password for this website, then I use the insert command, which doesn't generate a new one, but instead prompts me to enter one.

edit a password, and usage

Some websites use Q&A as an extra security measure, or I need to store some code or something else besides the password. When creating a new password called "", what pass does is creating a text file under ~/.password-storage, and encrypting it with my gpg key; So is basically just a text file. So if I need to store the Q&A or some code, I do this:

pass edit

Which opens the unencreypted contents of the file in my $EDITOR, and I can add to it whatever I want, like so:


Q: What's your favourite food?
A: Boiled white rice

Some important code: abc123

The only important thing, don't edit the first line. That's my actual password of "". After saving and closing the file, pass commits the changes:

[master a7f75ed] Edit password for using vim.
 1 file changed, 0 insertions(+), 0 deletions(-)

And lastly, but really important: how to actually access the password? I've only described how to generate and edit it. The simplest way is to use -c, which stores it in the clipboard, ready to be pasted into the input password at Like this:

$ pass -c
Copied to clipboard. Will clear in 45 seconds.

# or print the password to stdout
$ pass

Q: What's your favourite food?
A: Boiled white rice

Some important code: abc123

password rotation

To rotate a password, or when the website prompts me to update it, what I do is edit the file with pass edit website, move the current password a few lines down, or even add a "old password:" there, and leave the first line blank. Similar to this:

Original file:


After running pass edit website:

old password:

Then, with pass generate -ic website I generate a new password for this website. The -c option is to have it ready in my clipboard to paste it right away, the -i is the inline option, that only modifies the first line of the file (the line that I left blank on purpose, very important).