summaryrefslogtreecommitdiff
path: root/src/published/2015-10-28_pass.txt
blob: f02998cd73bd4bc2f0645e4662002adf9287b334 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

---
title: Switching from LastPass to Pass
pub_date: 2015-10-28 12:04:25
slug: /src/pass
tags: command line, security

---

I never used to use a password manager. I kept all my passwords in my head used some tricks I learned from my very, very limited understanding of what memory champions like [Ed Cooke][1] do, to keep track of them. I generated strings using [pwgen][2] and then memorized them. As you might imagine, this did not scale well. Or rather it led to me getting lazy. I don't want to memorize a new strong password for some one-off site I'll probably never log in to again. So I would use a less strong password for those. Worse I'd re-use that password at multiple sites.

Recognizing that this was a bad idea, I gave up at some point and started using LastPass for these sorts of things. But my really important passwords (email and financial sites), are still only in my head. I never particularly like that my passwords were stored on a third-party server, but LastPass was just *so* easy. Then LogMeIn bought LastPass and suddenly I was motivated to move on. 

As I outlined in a [brief piece][3] for The Register, there are lots of replacement services out there -- I like [Dashlane][4], despite the price -- but I didn't want my password data on a third party server any more. I wanted to be in total control.

I can't remember how I ran across [pass][5], but I've been meaning to switch over to it for a while now. It exactly what I wanted in a password tool -- a simple, secure, command line based system using tested tools like GnuPG. There's also [Firefox add-on][6] and [an Android app][7] to make life a bit easier. So far though, I'm not using either.

So I cleaned up my LastPass account, exported everything to CSV and imported it all into pass with this [Ruby script][8]. 

Once you have the basics installed there are two ways to run pass, with Git and without. I can't tell you how many times Git has saved my ass, so naturally I went with a Git-based setup that I host on a private server. That, combined with regular syncing to my Debian machine, my wife's Mac, rsyncing to a storage server, and routine backups to Amazon S3 means my encrypted password files are backed up on six different physical machines. Moderately insane, but sufficiently redundant that I don't worry about losing anything.

If you go this route there's one other thing you need to backup -- your GPG keys. The public key is easy, but the private one is a bit harder. I got some good ideas from [here][9]. On one hand you could be paranoid-level secure and make a paper print out of your key. I suggest using a barcode or QR code, and then printing on card stock which you laminate for protection from the elements and then store it in a secure location like a safe deposit box. I may do this at some point, but for now I went with the less secure plan B -- I simply encrypted my private key with a passphrase. 

Yes, that essentially negates at least some of the benefit of using a key instead of passphrase in the first place. However, since, as noted above, I don't store any passwords that would, so to speak, give you the keys to my kingdom, I'm not terribly worried about it. Besides, if you really want to get these passwords it would be far easier to just take my laptop and [hit me with a $5 wrench][10] until I told you the passphrase for gnome-keyring.

The more realistic thing to worry about is how other, potentially far less tech-savvy people can access these passwords should something happen to you. No one in my immediate family knows how to use GPG. Yet. So should something happen to me before I teach my kids how to use it, I periodically print out my important passwords and store that file in a secure place along with a will, advance directive and so on.


[1]: https://twitter.com/tedcooke
[2]: https://packages.debian.org/search?keywords=pwgen
[3]: tk
[4]: http://dashlane.com/
[5]: http://www.passwordstore.org/
[6]: https://github.com/jvenant/passff#readme
[7]: https://github.com/zeapo/Android-Password-Store
[8]: http://git.zx2c4.com/password-store/tree/contrib/importers/lastpass2pass.rb
[9]: http://security.stackexchange.com/questions/51771/where-do-you-store-your-personal-private-gpg-key
[10]: https://www.xkcd.com/538/
generated by cgit v1.2.3-70-g09d2 (git 2.47.0) at 2025-02-21 18:02:45 +0000