Password management from the command line
Remembrance of Things Pass
The easy-to-use Pass offers password control at the command line. We show you how to set it up and use it.
Password managers have become a standard Linux utility. They are a feature in web browsers, and at least a dozen desktop alternatives are available, ranging from KDE's Wallet  to Gringotts  and KeePassX . In the past few years, online solutions such as LastPass  have also become common solutions.
Unfortunately, most of these alternatives leave users with only the vaguest idea of what they are doing. If you want a password manager that is easy to use and always makes clear what it is doing, you are better off turning to the command line – specifically to Pass , a password manager written by Jason A. Donenfeld that uses existing system resources in its operations.
Pass is available in the repositories of most major distributions. As usual, you can also compile from scratch, but, if you do, take note of the dependencies, especially GnuPG (GPG) , which creates encryption keys, and Password Generator (pwgen) , which generates random passwords that contain random combinations of upper- and lowercase letters, numbers, and special characters. Without GnuPG and pwgen, you will be unable to set up Pass, much less actually use it.
As a command, Pass uses the structure:
pass COMMAND OPTIONS ARGUMENT
If the command is missing,
ls is usually assumed, which means that you can see the contents of
.password-store by typing only
pass. The command also determines the valid options and arguments.
Setting Up Pass
Before you can use Pass, you must set up an encrypted subdirectory in your home directory.
The first step in this process is to create an encryption key to use with the subdirectory. You could, of course, use an existing one, but using a unique one makes for stronger security.
To create the key, enter the command:
The option will begin a wizard to help you create the key (Figure 1). The implications of most of the keys are obvious – for example, the longer the key, the more secure it is likely to be. If you are at a loss, you can safely use the defaults. However, if you want a better sense of the alternatives, you can search for the command online before using it .
At the end of the key creation, GPG summarizes the key with the last eight characters of the key fingerprint. These eight characters are what Pass's man page refers to as the gpg-id, so copy it to the clipboard and make a note of it for later use. You will also need to remember the key's passphrase to use the password stored in Pass.
Once you have the key, you can initialize the encrypted directory with the command:
pass init GPG-ID
This command creates a subdirectory called
.password-store in your home directory (Figure 2). Should you ever want to change the encryption key that Pass uses, you can add
-e to the command while specifying a different key.
.password-store is first initialized, it contains a subdirectory for the encryption key. As you add passwords, you can create additional subdirectories to keep organized. For example, you might have a subdirectory called
Social for the passwords to sites like Facebook and Google+, and another called
Adding, Using, and Creating Entries
To view the entire contents of
.password-store, use the command
pass show, or simply
pass. All three show all the subdirectories, with the lowest entry in the tree being the individual password; there is also a top-level subdirectory for the gpg-id (Figure 3). If you use subdirectories to organize your passwords, you can display just the directory specified using the command
pass ls DIRECTORY or
pass show DIRECTORY.
To avoid duplication of passwords, you can check on an existing password with
Before you add an entry, you might want to create a password for a site that is completely random by calling pwgen (Figure 4) with the command:
pass generate OPTIONS PASSWORD-LENGTH
If you prefer, you can add
-n so that the password consists only of upper- and lowercase letters and numbers. Add the
--force plus the path within
.password-store after all the options, and you can change the password of an existing entry.
The most useful options for
--clip. Using either one copies the generated password to the clipboard for 45 seconds, which means, after generating the password in a virtual terminal, you can quickly paste it in when you type
.password-store with the command:
pass insert PATH
Pass responds to the preceding command by asking the user for the password. Notice, too, that specifying the path creates a subdirectory if necessary, so you can use pass to insert an entry into Social/Tumbler or another networking interface inside
.password-store (Figure 5).
For added security, unless you add
-e to the
insert command, the inserted password is not displayed in the terminal; instead, you are asked to enter it twice. Additionally, if the path already exists, you cannot overwrite unless you add
-f. Still another security option,
-m, creates a password that is more than a single line long, which makes it more difficult to crack.
An alternate method of adding or editing a password is to use the command
edit PATH to open the text editor specified in your environment, or, if none is specified, in Vim.
Later, to delete a password, you can use the command structure:
pass rm OPTIONS PATH
rm command can be modified with
-r. The command
pass rm --recursive Social/ therefore would remove all the passwords in the
Social subdirectory, whereas
pass rm Social/Twitter would remove only the password for Twitter. You are prompted to confirm the deletion, unless you add the
-f option (Figure 6).
Using an Encrypted Password
Once the password is created and stored, you can display the password with:
pass show PATH
You need to enter the encryption key to display the password, but the disadvantage of this command is that the password is displayed for anyone passing by to see. Also, you need to copy and paste in a separate action to use the password.
A more secure method of using the password is to copy it directly to the clipboard without viewing it directly with the command:
pass -c PATH
In response, GPG opens a dialog window for you to enter the encryption key's passphrase (Figure 7). When the phrase is entered successfully, you have 45 seconds before the password is cleared from the clipboard. During this time, you can navigate to the application that requires the password and paste it into the appropriate field.
Buy this article as PDF
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm