alazarte

[home]

password management

pass is my password manager. It satisfies what I want with it: to store passwords. But it also has some great features that I use daily. pass creates an encrypted text file for each password, meaning that I can treat that as a simple text file, and write some useful information like my username or account email, or those questions and answers that I never take seriously. The only line that I shouldn't touch is the first one, where the password itself is.

generate or insert a password

Basically, the workflow I have is this: I find a new website called example.com, and I want to register there. So I complete the form with all my precious personal information until I get to the password input. Here I use pass like this:

$ pass generate example.com
[master 525c5ed] Add generated password for example.com.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 example.com.gpg
The generated password for example.com is:
VCx~r4$u=QUoq:S}X9SjT>-E#

That generates a new random password with the default settings. But I can tweak the defaults depending on the site's requirements. For example, if the password can't have any symbols, there's the -n option; if the password needs to be a certain length, there's the second positional argument, which is length, the first one being the password name (example.com in this case). So running:

pass generate -nc example.com 5
An entry already exists for example.com. Overwrite it? [y/N] y
[master 61bhcf3] Add generated password for example.com.
 1 file changed, 0 insertions(+), 0 deletions(-)
Copied example.com to clipboard. Will clear in 45 seconds.

I added -c there so instead of printing the password to stdout, it stores it on my clipboard. The password generated was this: Qu7ek. So no symbols, and 5 characters long. And as you can see, it prompts with y/n when the password already exists.

If I already have an existing password for this example.com website, then I use the insert command, which doesn't generate a new one, but instead prompts me to enter one.

edit a password, and usage

Some websites use Q&A as an extra security measure, or I need to store some code or something else besides the password. When creating a new password called "example.com", what pass does is creating a text file under ~/.password-storage, and encrypting it with my gpg key; So is basically just a text file. So if I need to store the Q&A or some code, I do this:

pass edit example.com

Which opens the unencreypted contents of the file in my $EDITOR, and I can add to it whatever I want, like so:

Qu7ek

Q: What's your favourite food?
A: Boiled white rice

Some important code: abc123

The only important thing, don't edit the first line. That's my actual password of "website.com". After saving and closing the file, pass commits the changes:

[master a7f75ed] Edit password for example.com using vim.
 1 file changed, 0 insertions(+), 0 deletions(-)

And lastly, but really important: how to actually access the password? I've only described how to generate and edit it. The simplest way is to use -c, which stores it in the clipboard, ready to be pasted into the input password at example.com. Like this:

$ pass -c example.com
Copied example.com to clipboard. Will clear in 45 seconds.

# or print the password to stdout
$ pass example.com
Qi2el

Q: What's your favourite food?
A: Boiled white rice

Some important code: abc123

password rotation

To rotate a password, or when the website prompts me to update it, what I do is edit the file with pass edit website, move the current password a few lines down, or even add a "old password:" there, and leave the first line blank. Similar to this:

Original file:

super-strong-password

After running pass edit website:


old password:
super-strong-password

Then, with pass generate -ic website I generate a new password for this website. The -c option is to have it ready in my clipboard to paste it right away, the -i is the inline option, that only modifies the first line of the file (the line that I left blank on purpose, very important).