1. 31

  2. 12

    Seems like a lot more hassle than just using Bitwarden, be it cloud, or self-hosted. especially on mobile. Plus even if not as secure, 2FA in bitwarden is great

    1. 5

      It’s more initial setup, but after that point depending upon your workflow it can be less hassle. In my case I’ve got it hooked up with fzf in my TWM so it’s more efficient than any proprietary UI could ever be. And long term there’s less hassle in using standard, multipurpose, open source tools like gpg and git.

      1. 5

        Oh, I would be totally onboard, but since I use passwords and 2fa on mobile a lot, not having the autofill capabilities on that app the article linked is a bit of a hinderance, along with other niceties. For my usecases, bitwarden is open source enough to satisfy that.

        But if I think about it, I can see the benefit in the simplicity of this workflow if you don’t need the features I depend on, or they extra app switching doesn’t bother you.

        I tried pass a long time ago, probably around when it first came out and liked it, just mobile was always a sticking point, and syncing everything. I mean thats solved with stuff like Seafile, Nextcloud, dropbox, syncthing, rsync, etc. But it being built into what I am using is just a time saver.

        I will also admit hat I am not as privacy-conscious as many are.

        1. 11

          Hi, Android Password Store maintainer here. The app does support Autofill, and does it rather well (even if I say so myself).

          I assume the author is on a very old Android version which doesn’t have native Autofill capabilities. The mention of overlays probably is about System Alert Windows, which apps used pre-Android 8.0 to present Autofill UIs. The accessibility and clipboard backed implementation that was used before native Autofill is extremely buggy and unsafe, so we’ve opted to completely remove it in our development branch.

          Another possibility is that they accidentally installed our legacy version that hasn’t been updated in a couple years, and was marked as archived on F-Droid but I presume stays accessible even today. Here’s the currently maintained version.

          If neither of them are true /u/rhardih, please email me at aps@msfjarvis.dev with some info about your phone and Android version, and I’d love to sort this out :)

          1. 4

            Hi, this was totally a blunder on my part. I didn’t see it showing up in the Autofill menu next to LastPass and didn’t really think about it more than that, because I personally didn’t mind having to copy paste a bit.

            I’m guessing it’s disabled by default, because it’s necessary to trigger the “Auto-fill service” system settings page when enabling, in order to choose Password Store as default.

            I’m sorry for the misunderstanding. I’ve updated the post with a correction.

            1. 3

              Thanks for the prompt correction! We recommend users to enable Autofill from within the app since it allows us to present each currently installed browser’s Autofill support level upfront, so that users can adjust their expectations. This was mostly necessary back when Chromium-based browsers had absolutely terrible Autofill support, but is slightly less useful now that all the patches my co-maintainer has been pushing to Chromium have reached the stable channel with Chrome 89.

            2. 2

              Oh, cool, thank you for clarifying that and thank you for working on the app. I know it might not be for some, but it definitely solves a need for many, and I respect that and appreciate your efforts on the app.

              I might check it out for work related stuff.

              1. 2

                Thanks a lot for your kind words :)

        2. 2

          It isnt. I host my password store on a git directory on my server and just use that to keep it updated on my phone and anything else. I also use rofi so having pass-otp and rofi-pass really makes it great on my desktop for example. The android app also just works with otp codes.

          1. 1

            I’m also in favour of a more seamless setup and am heading towards Bitwarden setup myself, albeit slowly.

            Recently, I’ve been made aware of a 3rd-party command line client for Bitwarden - rbw - it lacks some basic functionality, i.e. one can only edit the pass{word,phrase}, but it’s quite usable otherwise.

          2. 7

            pass is great. I use it and I love it. It does, however, lack one key feature: the password filenames are not encrypted. This does leak information should a malicious actor access the password repo. pass-tomb and pass-code attempt to solve this, in different ways.

            1. 2

              Another interesting bit about the encrypted files is that the file size can tell you something about the passphrase length, assuming the file contains nothing but the passphrase.

              Adding some extra data at the end of the file of random length is one way to work around it.

              1. 2

                I’ve previously had my .password-store in a Cryptomator vault and then put that on Dropbox for sync. This solves the filename problem. Given that I no longer put those files on a machine not in my control, it’s a fair enough tradeoff for now. Let’s hope I’m not wrong.

              2. 3

                One of these days I’ll write up my pass setup. I installed it a few months ago and have it nicely integrated into my workflow. The setup was a pain, though, and my experience was similar to the OPs.

                There’s a thread on nixers.net where I’m helping someone set it up and I realized through helping him that there’s so much knowledge that I had of gpg and git that I leveraged when I set it up.

                I think it would be really handy to have a step-by-step guide of how to set up pass that goes into more detail on not only setting up pass but goes into more detail on the GPG and git setup, as well as setting up browserpass to integrate with the browser.

                1. 2

                  I moved off of LastPass because of their switch to one device, but I ended up going with Myki. I like that it doesn’t store my info on their servers and it has a seamless LastPass import. Pass is a bit of a primitive/too much DIY for what I want, but it seems like a decent option.

                  1. 1

                    Does Myki support running a headless client on say a NAS to ensure passwords are always synced?

                  2. 2

                    I tried to switch to pass before but couldn’t get over the lack of sync and browser extension - both I consider essential for any password manager.

                    Current solution is KeepassXC & Keepass2Android with Dropbox providing the synchronization between devices. Get full browser integration and sync everywhere for free (and an open source desktop client as a bonus).

                    1. 4
                    2. 2

                      Just want to plug prs here, it is pass but with many annoyances fixed. Compatible with your pass store.

                      1. 2

                        I used a CLI program called pwsafe for about 15 years. Late last year, I switched to gopass. My family and I realized that we needed a shared secret store. We’re all Linux users, but they noped out on gopass and told me to look at bitwarden. I now self-host with bitwarden_rs, and I recommend it.

                        Gopass and pass suit my use cases, but yeah that’s not everyone’s cup of tea.

                        The only thing I’m missing right now with my current setup is emacs integration. It looks like somebody may have already done some work on that front: emacs-bitwarden, so I should check that out.

                        1. [Comment from banned user removed]

                          1. 16

                            Your passwords are stored in GPG-encrypted files, which can be committed to a Git repo. This is arguably more future-proof than any app-specific database that needs to be sync’ed by that app.

                            I use pass across my devices, including android. The passwords are stored in Git, but also synced directly via Syncthing even on android.

                            My Brave browser (which has end-to-end encrypted sync enabled) also has these passwords stored as a second copy and for convenience. But pass on Git is the primary store for my passwords.


                            1. [Comment from banned user removed]

                              1. 6

                                I’m just clarifying the quoted text (taken from here, incidentally), so that your comment regarding a personal preference doesn’t accidentally cast it in a negative light in the mind of a casual reader.

                            2. 12

                              it’s not clear what your objection is?

                              1. 3

                                Applications need to stop shitting all over $HOME.

                                1. 10

                                  You can configure the password storage directory with the PASSWORD_STORE_DIR env var, as detailed in the pass manpage. That said, I’m not sure why a dotfile in your homedir is any worse than a dotfile in .local or .config in your homedir, which is what I assume the alternative would be. You gotta put program-specific per-user data somewhere, and I have no particular problem with the .file convention.

                                  1. 2

                                    Yeah, I think this is a fair criticism, but it can at least be fixed.

                                2. 4

                                  I switched to pass from 1Password. It was intended to be an interim measure whilst I tidied up my passwords and account data, but I’ve never switched on to anything else. One day I’ll look at bitwarden_rs.

                                  1. 3

                                    You’d rather it be in XDG_CONFIG_DIR ? Or on s3?

                                    1. 5

                                      /I’d/ rather it was in XDG_CONFIG_DIR, but it doesn’t bother me too much.