===================
== paulefou site ==
===================
Code, Data, and a Bit of CrossFit

Pass: The Standard Unix Password Manager - (Convenient Open Source)

· Security, Tools, Linux
Tags: password-manager, pass, gnupg, browserpass, passff, otp, 2fa, unix, open-source, firefox, chromium

This is mostly a note to myself for the future, but I hope this might be helpful for someone who wants to have an extremely convenient, configurable, yet free and open source password manager. Let’s first have a look at what we want our password manager to be able to do:

  1. Automatically fill in the passwords in Firefox and Chromium
  2. Automatically fill in the OTP in Firefox and Chromium
  3. Copy to clipboard any password in under 5 key presses on a keyboard
  4. Copy to clipboard any OTP in under 5 key presses on a keyboard
  5. Fill the password from your iPhone
  6. Sync the passwords across all your browsers, phones, laptops, etc.
  7. Add the new OTP to your store without your phone and with just 2 commands
  8. Generate a new password

And we can do all of that with pass – the standard Unix password manager.

Here’s what you need to install to make the most out of pass.

  1. Install pass
  2. Initialize password store along with the Git repo (local and remote if you want to sync)
  3. Install pam-gnupg to unlock the GnuPG keys on login
  4. Install pass-otp to work with OTPs. It seems that nowadays it’s included with pass itself
  5. Install passmenu-otp to get the OTPs from dmenu
  6. Install zbar to decode QR images for OTPs (optional)
  7. Install passforios for iPhone
  8. Install Browserpass (Browserpass host app, browserpass-chromium extension, and browserpass-firefox extension)
  9. Alternatively, install passff and passff-host for Firefox

Note on Browserpass: Browserpass is an opinionated app. They have intentionally chosen not to fill anything on load of the web page. To “auto-fill” the password, you need to press Ctrl+Shift+F. I don’t think I’m in a position to say if this is the wrong or right decision. If you do feel like you can make a meaningful contribution to the discussion, please see this issue. For OTPs in Browserpass, you have to manually enable them in the extension settings. This is also intentional and discouraged by Browserpass. You can read the justification here. The OTPs in Firefox using Browserpass do not seem to work as well as they do in Chromium. For that reason, for the fact that I’m using Firefox as my daily browser, and for the notes above, I’m using passff for Firefox instead of Browserpass. I’m still using Browserpass for Chromium though.

Most of the points I listed above are fairly straightforward, so I’ll only explain things that are not and some of the configs I did on my system to make this setup even more convenient.

pam-gnupg

Install pam-gnupg. Everyone’s setup is quite different here. I, for one, do not have a login manager and I did have a lot of problems with that, but most people should be fine just following the instructions from the repo. One general note is to make sure the GPG password is the same as your user password. pam-gnupg just forwards your password to the GPG agent as entered during login.

Organizing the Password Store

Pass itself does not impose any schema. However, other tools like Browserpass and passff might expect the data to have a certain schema to be able to automatically fill in the passwords. Typically, a single entry might look something like this:

your-password
login: your-login
url: https://github.com/login
otpauth://totp/GitHub:your-totp-url

I like to organize them as directories with a single file per website. Directories might be personal, work, study, and so on. This is not really important except for the name of the file that stores the passwords. Browserpass will only “auto-fill” the entries from the matching website and the name of the password file. For example, personal/github.com will work, but personal/github will not. You’d still be able to manually search for this item, but you won’t be able to “auto-fill” it. Passff will auto-fill both github.com and github, but it’ll look at the url property in the file. The URL should be the URL of the login page of that app.

The password should be stored on the first line of the file; there’s no need to add any key to that line. All tools will just copy the first line as the password.

Login should be stored under the key of login, and the OTP URL should be stored under otpauth

The cool thing about passff is that you can actually automatically fill in forms that require more than just login and password. For example, some websites will ask you for a company name, login, and password. In that case, you can look into the HTML to find the id or name of that field and put it on the left-hand side. Here’s an example that I have:

password
login: username
CompanyLogin: CompanyName
url: url_of_the_login_page

Adding OTPs

You’re presented with a QR code on the screen. Now you have to grab your phone, open Authy, scan the QR code, and manually enter the OTP value into the field.

How about pressing a hotkey to capture the screen and then paste the output to the pass file? Copy the OTP value from the store and put it in the input. Sounds better?

Here’s the idea:

scrot can capture the screen.

zbarimg can decode the QR codes.

xclip can copy to clipboard.

Here’s my binding in i3

bindsym --release $mod+q exec scrot -s -d 1 "/home/paulefou/screens/qr_codes/%Y-%m-%d_%wx%h.png"  -e "zbarimg -q --raw \$f | xclip -selection clipboard"

This will copy the value of the OTP URL to the clipboard that you can then just paste into the password store. Then I’d press mod+o, choose the right OTP, and paste it into the input field of the OTP. Voilà!

Next time you’ll need to enter an OTP, passff will do it for you.

I use mod+o for OTPs and mod+p for passwords.

bindsym $mod+p exec --no-startup-id passmenu
bindsym $mod+o exec --no-startup-id passmenu-otp

One last note about OTPs. This is Browserpass’s point and it’s valid, so use the OTPs with pass at your own risk:

Keeping both passwords and OTP URI in the same location diminishes the major benefit that OTP is supposed to provide: two-factor authentication. The purpose of multi-factor authentication is to protect your account even when attackers gain access to your password store, but if your OTP seed is stored in the same place, all auth factors will be compromised at once.