(In)Security of the “Pass” password manager

While they&#x27;re real, most of these issues don&#x27;t really seem worth worrying about except for the site names not being encrypted, but pass also isn&#x27;t a cloud service so I&#x27;m not convinced that&#x27;s a big deal?<p>I guess it&#x27;s an issue if you&#x27;re storing the repository in github or backing it up without additional encryption, but I suspect that&#x27;s not how most people are using it anyway.<p>As long as you understand its limitations pass is nice precisely because it&#x27;s simple and basically just a wrapper around git + gnupg.<p>In comparison, most cloud password managers don&#x27;t have these specific issues, but they are also very likely less secure in other ways.

The KeePass format has been around for years. I don&#x27;t really understand why people keep using pass, or why it bills itself as the &quot;standard&quot; Unix password manager.<p>There are also already command line KeePass utilities, like passhole [0] (mine) and keepassxc-cli.<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;evidlo&#x2F;passhole">https:&#x2F;&#x2F;github.com&#x2F;evidlo&#x2F;passhole</a> [1]: <a href="https:&#x2F;&#x2F;keepassxc.org&#x2F;docs&#x2F;KeePassXC_UserGuide.html" rel="nofollow">https:&#x2F;&#x2F;keepassxc.org&#x2F;docs&#x2F;KeePassXC_UserGuide.html</a>

Yeah, yeah, but if an adversary can do things like<p>&gt; replace the contents of .&#x2F;Personal&#x2F;malicious-site.com with the contents of .&#x2F;Work&#x2F;id_ed25519<p>then it&#x27;s pretty much game over anyway.

I know it&#x27;s not FOSS but 1Password does have a decently fully-featured CLI client<p><a href="https:&#x2F;&#x2F;developer.1password.com&#x2F;docs&#x2F;cli&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.1password.com&#x2F;docs&#x2F;cli&#x2F;</a>

All designs have use cases and scenarios for which they are better or worse.<p>Pass (and gopass, and all the derivatives of the same idea) is not the best personal password store (for that KeePassXC and similars might be better) but coupled with git gives a technical team a way to share passwords in a more or less secure way on rest.<p>AFAIK KeePassXC don&#x27;t give a way of automating merge of different versions of the password store (for that the granularity provided by git and the pass format is better), so modifying the keys by a team is an exercise of coordination, and have one global master key that implies an all-or-nothing approach.<p>And being built over time tested technology in a simple enough way is another feature. It is a simple bash script taking advantage of gpg and git, not a complex piece of software that should be audited with each security update.<p>Of course that the computers taking part should be trusted, if the personal computer of any of the people with access to the keys is compromised, or where you store your git repository, it might not be so safe, but probably you should worry about bigger problems.

This attack makes no sense to me:<p>—————<p>Active Attack:<p>1. Adversary replaces the contents of .&#x2F;Personal&#x2F;malicious-site.com with the contents of .&#x2F;Work&#x2F;id_ed25519<p>2. Victim decrypts .&#x2F;Personal&#x2F;malicious-site.com and the decrypted contents is placed in her clipboard automatically.<p>3. Victim logs into malicious-site.com.<p>The victim just uploaded her work SSH private key to malicious-site.com<p>————<p>If the attacker is on the victim’s machine and has access to the ssh private key (“id_ed25519”), wouldn’t they just upload it directly to malicious-site.com via curl or whatever? Why this whole rigamarole?<p>If someone is on your machine doing arbitrary things what software can reasonably protect you? Even Signal would fail.

I&#x27;ve never understood the &quot;complexity&quot; of PGP&#x2F;GNuPG. Granted the man page is dozens of pages long, but I find it no more complicated than any other command line tool. Maybe it is because I have used it professionally and personally forever.<p>The author of Age has ported Pass to use Age as the encryption scheme if one needs a modern solution.<p>As for reading the directory structure, you don&#x27;t have to put your passwords in a directory structure and just do security by obscurity.... But, if some has access to my local machine, I have bigger issues.

I like the command line capabilities of &quot;pass&quot;, and I also agree with the author about some of its security issues and complexity.<p>I created &quot;passable&quot; to do what I believe is a bit better (IMHO) for command line usage: symmetric encryption, and files do not use any particular in-the-clear directory structure.<p>The code is POSIX shell, short,and easy to audit. MIT &amp; Apache &amp; GPL license. Constructive feedback welcome.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;SixArm&#x2F;passable">https:&#x2F;&#x2F;github.com&#x2F;SixArm&#x2F;passable</a>

&gt; 90ties horror show<p>I had to briefly pause reading there, as the word &quot;90ties&quot; is a horror show itself.<p>Ninety-ties? Ninetittys?

Anything PGP based is disqualified usually because of decrypting to the hard disk. This means that an attacker that can read files at the right moment can access the decrypted file. pass thankfully uses &#x2F;dev&#x2F;shm so you don&#x27;t have to worry about the password making it to the unallocated parts of your hard disk where it can be read out via hardware access, so it needs to be an active attack, but still.

The bigger issue with pass, IMO, is that there&#x27;s no audit trail on secret access. At a previous job, the team used pass for shared ssh keys, passwords, etc. One developer got malware on their workstation. It was detected fairly quickly, but not before he&#x27;d used pass once or twice. At that point, we had to assume that the malware had been able to capture the PGP key and all the encrypted secrets. That meant that we had to rotate every single secret in all of our systems that were reachable from those. In a better setup with something like Hashicorp Vault, GCP Secrets Manager, etc, with auditing, we could&#x27;ve looked through audit logs to see which secrets were actually accessed during the vulnerable window and only had to rotate those.

&gt;RSA (and all other public key crypto systems supported by PGP) will be broken by Shor’s algorithm<p>Seems there&#x27;s work going towards, or at least the idea is being explored, adding PQC to OpenPGP.<p><a href="https:&#x2F;&#x2F;www.ietf.org&#x2F;id&#x2F;draft-wussler-openpgp-pqc-00.html" rel="nofollow">https:&#x2F;&#x2F;www.ietf.org&#x2F;id&#x2F;draft-wussler-openpgp-pqc-00.html</a><p><a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;meeting&#x2F;113&#x2F;materials&#x2F;slides-113-openpgp-a-post-quantum-approach-for-openpgp-00" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;meeting&#x2F;113&#x2F;materials&#x2F;slides-11...</a><p>&gt;If you insist on using Pass, I highly recommend using a separate PGP key just for Pass.<p>Will guess that&#x27;s how most people use it already. Separating keys for usage is afterall something core in PGP.

If someone modifies your PGP encrypted password file and you decrypt it GPG will say:<p><pre><code> gpg: WARNING: encrypted message has been manipulated! </code></pre> ... and GPG will return a fatal error. So the meandering stuff about the malleability of PGP is not of any practical interest. The underlying cryptography that insures the integrity here has stood the test of time (over 20 years at this point).<p>In another part of the article it is mentioned that an attacker can entirely replace a particular password file (&quot;No authentication of values&quot;) which makes the PGP malleability stuff irrelevant. So we are maximizing the number of listed issues here. Note that pass will sign the password files if configured to do so which makes this issue go away.

I feel like half of these problems would be solved by pass signing <i>and</i> encrypting the stored passwords, and then refusing to decrypt anything not signed by a known-valid key without the user&#x27;s explicit case-by-case consent and knowledge.

I am researching password books at the moment <a href="https:&#x2F;&#x2F;passwordbook.org&#x2F;7-benefits-of-using-a-password-book&#x2F;" rel="nofollow">https:&#x2F;&#x2F;passwordbook.org&#x2F;7-benefits-of-using-a-password-book...</a>

The discussion in the article is poor.<p>* Yes, symmetric encryption is better than the asymmetric encryption in terms of resistance to brute force attacks. However, as soon as you type in the password in a login page, it will be protected by an asymmetric encryption in TLS. All data in transit is protected by asymmetric encryption, often RSA 2048.<p>On the other hand, asymmetric encryption is better than symmetric encryption in that it doesn’t need the private key for encrypting a password. This reduces the exposure of the private key.<p>* The fact that the file names may not be encrypted is part of the appeal. In exchange, you get: passwords live in sort of their own sandbox environments. If the local machine is compromised, while a password is read, other passwords are not affected (see the next item on smart cards).<p>This is great: with a single-database, as you frequently extract unimportant passwords, your important passwords, say your bank account password, is decrypted too, and at risk. Further, with a single database, it’s difficult to frequently type in the master password; so the database is usually unlocked in local machine, with all passwords loaded in RAM.<p>* A GPG key can be put in a smart card. Every touch of the Yubikey gives up only one password.<p>* There are many password managers with self- rolled cryptography. The code has very rarely been audited, even for keepassxc. A lot of code is involved, with GUIs, complex databases, apps, and plug-ins. You want to outsource the cryptography to a well audited codebase. OpenPGP and GPG have been throughly reviewed.<p>Pass is a simple short bash script that you can actually audit it yourself. That’s very important to security.<p>* The directory can be encrypted by a wrapper, see gopass and similar.<p>* GPG 2.3 has introduced AEAD modes, such as ChaCha-Poly. So there is now authenticated encryption (there is MDC which is outdated). You could also sign the encryption, which is a proper authentication.<p>There are also newer tools such as Passage using Age encryption (though some tools such as agent is missing). Passage uses PIV applet of the Yubikey, so you can have multiple keys.<p>* Symmeyric encryption allows for 256 bits of security. In practice, it’s difficult to frequently type in and rotate such key. People use much weaker passwords. You can use a key file, but that’s plaintext in local system.<p>* The secrets have to be entered by command line a lot of times. Pass works great with piping etc.<p>I strongly suggest using a Yubikey with Pass or passage. You get strong security conveniently with a weak PIN code.

I wonder what OP would think of this password manager recently mentioned on HN? <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34159631" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34159631</a>

Is a better alternative to store passwords in an encrypted SQLite database? That would address the problems with the directory structure and Git.

Just use KeePass. It allows you to encrypt with a key, if that&#x27;s your thing.<p>Edit: just noticed they recommend KeePass at the end. Damn I&#x27;m good.