One of the simplest ways to stay safe online is to practice good password hygiene. For each service and site you use, you should make sure that you use a different password which contains a combination of numbers and special characters, and isn't based on any dictionary words.

Where possible, you should back this up with sturdy two-factor authentication.

Probably the biggest reason why people reuse the same weak passwords is because it's hard to remember different complex ones. It's for this reason why there's a flourishing market for password managers, with companies like LastPass, LogMeOnce, and DashLane all thriving. Consumers are becoming increasingly conscious of how password managers can protect them online.

But what if you want an open-source password manager for Linux, Mac, and Windows? Well, you're in luck. Pass is free, based on sturdy encryption standards, and super easy to use.

The Fundamentals of Pass

Pass is a simple, command-line based password manager. What makes it unique is that passwords are stored inside GPG encrypted files. These are the filename of the website or resource that needs the password. These are then organized in a hierarchical tree structure located under ~/.password-store.

This simplistic philosophy is beneficial for users, because it means that passwords can be manipulated using standard Linux command tools. You can, for example, grab your password and pipe it to another Linux utility. Since passwords are flat files, you can move them from computer to computer simply by transferring them. This makes it super portable.

Pass is even capable of temporarily storing passwords on the clipboard, and changes can be tracked using the Git versioning system.

To get it, just tell your package manager to install Pass. On Ubuntu or Debian, run

sudo apt-get install pass.

On Fedora, it's

sudo yum install pass

(I'm installing it on my Mac, so I typed brew install pass.)

BrewPass

Once it's installed, you can start to build up your collection of passwords.

It's worth emphasizing  that Pass doesn't specify any kind of requirements on the data it stores. While the name suggests it's just a password manager, it doesn't dictate any particular kind of schema. It's just a flat text file. This means you can store anything from PIN numbers, to metadata. Even poems.

How to Use Pass

When you first install Pass, your password store will be empty and there will be some configuration that needs to be done before you can start to use it.

passinit

Thankfully, Pass handles this for you. Just run:

pass init

This creates the folders where your passwords will be created. For this to work, the text in-between quotation marks has to be your GPG private key ID.

PassStorageKey

If you don't already have one, you'll have to create one. To do this, run

gpg --gen-key

...and follow the instructions. They're pretty straightforward. To test that your password has been successfully created, run:

gpg --list-keys

GPG-GenKey

If everything goes well, you'll see something like this when you run Pass.

PassWorking

Now you can start to fill pass with information. This follows a really simple convention.

To insert a password, just run pass insert Servicetype/ServiceName. So, if you were adding your personal email account, you'd run:

pass insert email/personal

...and then follow the instructions in the terminal prompt.

PassEmail

Running Pass again will show you the hierarchy of  your password collection. Here, you'll see my collection of passwords are getting bigger and bigger.

PassStore

If you want to see a password, you'll have to run something like:

pass social/twitter

You'll be prompted for your GPG passphrase. Please note that my real Twitter password isn't "password".

PassShow

You can also copy passwords to the clipboard. If I wanted to copy my Twitter password to the clipboard, I'd use:

pass -c social/twitter

For security reasons, Pass will remove this after 45 minutes to prevent them from falling into the wrong hands.

PassClipboard

Pass can also generate strong passwords using the pwgen utility. If I wanted to generate myself a 30-character password for LinkedIn, I'd run:

pass generate social/linkedin 30

If you want to remove a password, you just need to run the equivalent of

pass rm social/twitter

 

It's worth pointing out that password managers are only secure as the people who use them. For some useful tips on how to effectively use them, check out this piece from Dann Albright.

Migrating to Pass From Other Services

If you're already using a different password manager, but are tempted by Pass, you'll be delighted to hear that the Pass community has written a number of scripts to port passwords. These are primarily written in Ruby, but also in Python, Perl, and Shell. They can migrate passwords from the following services:

  • 1Password
  • KeepassX
  • Keepass2
  • Figaro
  • LastPass
  • Ked
  • Revelation
  • Gorilla
  • PWSafe
  • KWallet
  • Roboform

To download these, visit the Pass website and scroll all the way to the bottom.

It's also worth emphasizing that if you're not keen on using Pass on the command line, the community has create a number of GUI interfaces for it. The most gorgeous is GoPass, which is written in Google's Go programing language. This can only be used to view passwords though, and not remove or inserting them.

GoPass

There's also one written in Python, called Pext. This plugs into a number of Linux services, including Pass, and makes it easy for you to search for items.

How Do You Keep Your Passwords Secure on Linux?

Do you use Pass, or is there another service you prefer to use? I want to hear about it. Drop me a comment below, and we'll chat.