1. 37

    I’ve been very happy with pass, a command-line tool that stores passwords and notes in a git repository. Being a directory of text files, it’s easy to use standard command-line tools on or tinker with programmatically. There’s a thriving ecosystem of plugins, tools, and clients.

    I also use autopass for autofilling in X applications. As time goes in, I fill in more and more autotype fields to check ‘remember me’ boxes and other non-standard fields. It’s really convenient. (One annoyance is that if any password files are not valid YAML, autopass errors to stdout without opening a window, so I hit my hotkey and nothing happens.)

    1. 11

      One more vote for pass, i’ve been a happy user for years now. Was missing a proper browser extension for it so I built one: Browserpass. It’s no longer maintained by me due to lack of time, but the community is doing a far better job at maintaining it than I possibly could so that’s all good!

      1. 10

        Pass looks pretty neat, but the reason I stick with KeePass(XC) is that Pass leaks metadata in the filenames - so your encryption doesn’t protect you from anyone reading the name of every site you have an account with, which is an often overlooked drawback IMO.

        1. 5

          Your filenames don’t have to be meaningful though. It would be relativity trivial to extend pass to use randomly generated names, and then use an encrypted key->value file to easily access the file you want.

          On the other hand, if someone already has that access to your device, accessing ~/.mozilla/firefox/... or analogous other directories with far more information is just as trivial, and has probably more informational value.

          1. 3

            Then youre working around a pretty central part of pass’s design, which I don’t really like. It should be better by default.

            wrt your second point, if you give up when they can read the filesystem, why even encrypt at all? IMO the idea is you should be able to put your password storage on an untrusted medium, and know that your data are safe.

            1. 12

              if you give up when they can read the filesystem, why even encrypt at all?

              Because in my opinion, there’s a difference between a intruder knowing that I have a “mail” password, and them actually knowing this password.

        2. 5

          The QR code feature of pass is neat for when you need to login on a phone.

          1. 2

            Huh, you made me read the man page and learn about this - it’s really cool! What’s your usage like for this though? Just use any barcode reader and then copy paste in the password box?

            1. 1

              A barcode reader I trusted, but yeah - its a good hack because I usually have my laptop which has full disk encryption.

              1. 2

                Yeah, when you said that all I could think of was the barcode scanner that I used to use where it would store the result of each barcode scanned in a history file… Not ideal :)

          2. 2

            Seems like the android version’s maintainer is giving up. (Nice, 80k lines of code in just one dep…)

            The temptation to nih it is growing stronger but I don’t have enough time :(

          1. 8

            I’ve been happy-enough with LastPass - I can’t point to any reason beyond inertia, so really what I’m curious about in this thread: are there any significant differentiators that could sway a person to switch?

            1. 7

              A big reason for me would be moving away from proprietary stuff to secure my passwords

              1. 5

                To my knowledge at least by staying mainstream there’s a team of individuals working on the product. Ive used LastPass for years, and while there have been issues in the past … There is a large userbase and community scrutinizing it.

                Going the self hosted route negates alot of the large community, and trail by fire already accrued by legacy solutions like LastPass.

                They also provide an export mechanism …

              2. 4

                I’ve stuck with LastPass for a while. AFAIK, no security issues that I’ve judged to be significant. I appreciate that, compared to the other solutions that I know of, it seems to be widely compatible and simple to use on all platforms.

                Only minor beef that I have is that the browser plugins, or at least the Chrome one, seems to have gotten slower and a little bit buggier over time instead of better and faster.

                1. 1

                  I use LastPass, but am not happy with it, as in the past, it had some pretty serious security issues:

                  1. https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/. They fixed it promptly, of course, but it worries me.
                  2. https://news.ycombinator.com/item?id=8031720#8032186
                  3. https://twitter.com/tqbf/status/836619941805764609
                  4. https://twitter.com/taviso/status/843965519371812864

                  I would switch to 1Password, but it does not have linux support (edit: it has a browser extension for linux, which is suboptimal, but probably better than Lastpass). I’ve almost talked myself into switching to Keepass, but I’ll have to find out how trustworthy the iOS version is.

                1. 2

                  Nice! Your title seems to have been truncated? Am interested in source - would be cool if you adapted some open ranking algo like reddit’s. To my biased eye, the ranking has some pretty old posts.

                  1. 1

                    yea, old posts can get bumped by someone replying to it or “boosting” it. But actually I like the result because its more for exploration than another website to get an addiction too.