One of the simplest ways to stay safe online is to practice good password hygiene. For each service and site you use, you should make sure that you use a different password which contains a combination of numbers and special characters, and isn't based on any dictionary words.
Where possible, you should back this up with sturdy two-factor authentication.
Probably the biggest reason why people reuse the same weak passwords is because it's hard to remember different complex ones. It's for this reason why there's a flourishing market for password managers, with companies like LastPass, LogMeOnce, and DashLane all thriving. Consumers are becoming increasingly conscious of how password managers can protect them online.
But what if you want an open-source password manager for Linux, Mac, and Windows? Well, you're in luck. Pass is free, based on sturdy encryption standards, and super easy to use.
The Fundamentals of Pass
Pass is a simple, command-line based password manager. What makes it unique is that passwords are stored inside GPG encrypted files. These are the filename of the website or resource that needs the password. These are then organized in a hierarchical tree structure located under ~/.password-store.
This simplistic philosophy is beneficial for users, because it means that passwords can be manipulated using standard Linux command tools. You can, for example, grab your password and pipe it to another Linux utility. Since passwords are flat files, you can move them from computer to computer simply by transferring them. This makes it super portable.
Pass is even capable of temporarily storing passwords on the clipboard, and changes can be tracked using the Git versioning system.
To get it, just tell your package manager to install Pass. On Ubuntu or Debian, run
sudo apt-get install pass.
On Fedora, it's
sudo yum install pass
(I'm installing it on my Mac, so I typed brew install pass.)
Once it's installed, you can start to build up your collection of passwords.
It's worth emphasizing that Pass doesn't specify any kind of requirements on the data it stores. While the name suggests it's just a password manager, it doesn't dictate any particular kind of schema. It's just a flat text file. This means you can store anything from PIN numbers, to metadata. Even poems.
How to Use Pass
When you first install Pass, your password store will be empty and there will be some configuration that needs to be done before you can start to use it.
Thankfully, Pass handles this for you. Just run:
pass init
This creates the folders where your passwords will be created. For this to work, the text in-between quotation marks has to be your GPG private key ID.
If you don't already have one, you'll have to create one. To do this, run
gpg --gen-key
...and follow the instructions. They're pretty straightforward. To test that your password has been successfully created, run:
gpg --list-keys
If everything goes well, you'll see something like this when you run Pass.
Now you can start to fill pass with information. This follows a really simple convention.
To insert a password, just run pass insert Servicetype/ServiceName. So, if you were adding your personal email account, you'd run:
pass insert email/personal
...and then follow the instructions in the terminal prompt.
Running Pass again will show you the hierarchy of your password collection. Here, you'll see my collection of passwords are getting bigger and bigger.
If you want to see a password, you'll have to run something like:
pass social/twitter
You'll be prompted for your GPG passphrase. Please note that my real Twitter password isn't "password".
You can also copy passwords to the clipboard. If I wanted to copy my Twitter password to the clipboard, I'd use:
pass -c social/twitter
For security reasons, Pass will remove this after 45 minutes to prevent them from falling into the wrong hands.
Pass can also generate strong passwords using the pwgen utility. If I wanted to generate myself a 30-character password for LinkedIn, I'd run:
pass generate social/linkedin 30
If you want to remove a password, you just need to run the equivalent of
pass rm social/twitter
It's worth pointing out that password managers are only secure as the people who use them. For some useful tips on how to effectively use them, check out this piece from Dann Albright.
Migrating to Pass From Other Services
If you're already using a different password manager, but are tempted by Pass, you'll be delighted to hear that the Pass community has written a number of scripts to port passwords. These are primarily written in Ruby, but also in Python, Perl, and Shell. They can migrate passwords from the following services:
- 1Password
- KeepassX
- Keepass2
- Figaro
- LastPass
- Ked
- Revelation
- Gorilla
- PWSafe
- KWallet
- Roboform
To download these, visit the Pass website and scroll all the way to the bottom.
It's also worth emphasizing that if you're not keen on using Pass on the command line, the community has create a number of GUI interfaces for it. The most gorgeous is GoPass, which is written in Google's Go programing language. This can only be used to view passwords though, and not remove or inserting them.
There's also one written in Python, called Pext. This plugs into a number of Linux services, including Pass, and makes it easy for you to search for items.
How Do You Keep Your Passwords Secure on Linux?
Do you use Pass, or is there another service you prefer to use? I want to hear about it. Drop me a comment below, and we'll chat.