I have tried pretty much every one of the well known password managers (that are open source and work on linux), but never found any of them very convenient to use.
It is simply the easiest, most intuitive password manager out there. One of those things that, once you come across them, you wonder why it took so long for something this logical to come into existence. I am not associated with the project, but these are just a few things I love about "pass"
1. Command-line based: which means I can script it, I can run it remotely, etc.
2. Uses Git to store the passwords: full revision history, changelog, and remote push/sync features that git is SO good at. Other password managers have to reinvent that whole wheel and none seems to do a good job. This also eliminates the need for "hosted" solutions - which I just simply refuse to use.
3. GPG for password encryption: once again, such a natural, awesome way to do things. GPG is already the safest way practical way to secure data-at-rest. I can rest easy that no silly homegrown encryption system was invented. Also, as long as I have the keys, in the worst case I can do the decryption myself, if I do not have access to "pass".
The only thing I believe it might lack is the fact that the names of the entries are in the clear. Which means I cannot setup a github(private) repository as remote for my pass store: the passwords themselves would still be gpg encrypted, thus safe, but the repository will leak names of all websites and userIDs.
Indeed, I love pass. I found that the majority of the time, typing 'pass <servicename>' is faster than clicking through a GUI anyway, and far more convenient if I'm already in the terminal.
And on the web, all the other password managers have browser extensions to autofill data from their own database, but every common browser already does password storage and autofill natively. So once I grab a password from pass the browser remembers it anyway, making extensions unnecessary.
Oh, and the other thing I LOVE about pass is that because it uses GPG, the key encrypting all the data can be held in a nice portable smartcard, since GPG supports them directly, and it all just works when my smartcard is plugged in. I use a yubikey neo with openpgpcard applet for this and it's been great.
I did start writing an OS X dropdown menu for accessing my passwords from pass, but I haven't been in such a hurry to get it done because it doesn't seem all that necessary in practice :)
I think just pressing a hotkey to auto-type the correct password and username based on the currently active web page, program, window, etc. is easier still than opening a terminal and running a command. To me at least.
you make some really good points, as a programmer/scripter but for most end users and consumers they need something intuitive and keeppass is just that. personally I've used roboform now for over 5 years and have never been so happy to pay a yearly subscription fee. stores notes/passwords etc.
I'm quite surprised to see this on HN homepage, I mean this is such a great and popular tool that I would expect everyone to know about it and find it just an obvious link not to upvote.
Does anyone know if there is a lib to read and write into keepass archives programmatically, e.g. from a C# app? that would be quite useful to manage in an automated way some credentials for production systems, sharing tha archive via versioning repos in a team.
The dependencies for this seem more appealing than KeePass but unless my searching skills are not up to par there don't appear to be any browser autocompletion plugins.
I've been having it on my various systems (Windows, Linux, Android) in the sidelines for a couple months, and after initial fiddling, still haven't actually started using it.
This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].
However:
- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).
- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).
- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...
- The Android app just won't open the shared database.
So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.
Keepass proper has a global Ctrl+Alt+A shortcut that automatically types in your username and password into the form: I've found it works fine on the majority of sites (almost everyone uses username-tab-password-enter, but for the few that don't, you can specify a custom auto type format in keepass. It even has an option to obfuscate the typing to trick keyloggers).
For android, I recommend Keypass2Android: it comes with a custom keyboard you can enable temporarily, which inputs your password without going through the android clipboard. I use it with the dropbox app as well, I'm not sure why it's not working for you.
For personal use, I've been using LastPass for a few years but have been slowly migrating away from it in recent months. I'm switching to KeePassX which I already use for $work-related data. (I have intentionally avoided the Mono-based applications.)
KeePassX has similar "auto-fill" functionality as well. It's not as perfect or as seamless as LastPass but it is definitely usable (after a bit of one-time per-site tweaking in some cases). Having recently decided that using LastPass presents a non-zero risk, the extra effort I have to spend w/ KeePassX is certainly worth it, IMO.
Although I don't do it now, I have in the past kept my password databases in Dropbox. With Dropbox also installed on my iPhone, I am able to access my password databases use "MiniKeePass" on iOS without any issues.
In addition, there are Windows, Linux, and OS X versions of KeePassX and all of them can open up my .kdb files without any issues.
For those looking for something ultra lightweight, I highly recommend pwdhash (http://pwdhash.com). It's not a password manager, it's just an open source hashing algorithm that protects you from sites storing your password poorly. Instead of depending on them to store your password in a one-way hash, it does it on your end before sending the password to the site.
The algorithm is very roughly base64encode(hash(password + domain)), and then truncated to match your original password length.
The form on the site is just a demo (and backup if you need to use it outside of your own browser). What you really want is the extension (for most major browsers). You can type in the same strong password to every site and the extension will always hash it to the site specific password so you don't have to worry about them storing it poorly. You can also use unique master passwords for certain sites, if you so choose.
I built something like this a while back* but with a slightly more complex algorithm to make it more difficult to find the master password from a set of hashes. I ended up ditching it in favor of KeePass mostly because if a site is hacked and your plaintext hash is compromised there isn't a clean way to generate a new password every time.
Oh nice, I've been thinking about something like this a lot lately. I don't really like the idea of truncating the generated password, though. I'd rather it use a proper KDF and fill the password field to its limit.
I recommend OneShallPass (http://oneshallpass.com) over KeePass. It's open source and auditable like KeePass, but:
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
> 2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
This is an unbelievably audacious security shell game; I can't really believe this nonsense idea has somehow managed to gain traction.
The server is ephemerally delivering the code that supposedly encrypts your content securely.
Additional features:
- It works offline.
- You can import or export your passwords in CSV form.
- If you choose to delete your account, it is immediately and irrevocably destroyed.
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.
It makes me wish there was an open standard for sites to negotiate a new entry with a password manager, something automatic in the background for new registrations.
Site could send password restrictions, like allowed and required character types, minimum length, even maximum length, though that last one would be frowned upon. The locker would reply with a preferred username and random password and add same to the database upon acceptance.
God damn what you mentioned is a brilliant idea. I wish there was some standard for it. These are problems that I'm often inclined to work on solving, but unfortunately they are also the kind that need lots of time and adoption and formal procedures and acceptance from a large group of people to go anywhere so I tend to just day dream about them for a little while then give up, hoping some standard body or an organization like Mozilla do something about it.
The only problems I have with KeePass are it is Windows-first (though I know there are third part native clients for Linux, OS X, Android etc) and that browser integration is not comparable to something like LastPass. I do want to get away from LastPass as my trust in the cloud (especially US based cloud services) took a dive after Snowdon.
I have been using this for right at 2 years now and I like it. I havent tried others but it serves my needs and satisfies whatever attributes I need to feel safe.
At times, it contributes to what I call "log in anxiety" in that it necessitates opening the program, and inputting a password to get my other password. But no one ever said the extra security was synonymous with convenience.
And I dont leave it open, nor do I allow it to store any information in browser plugins as this seems counter productive to the sensitive passwords I use in this program.
Being on OS X, I have moved to 1Password. I'm, to this day, a dedicated proponent of Keepass. Anyone, asking me to suggest a Password Manager - my first answer is Keepass (Windows or Linux). Even for OS X, if one cannot afford 1Password yet or do not want to buy it just yet, Keepass is the one.
* Spend some time learning the Keyboard shortcuts and you're all set.
* Keep the Keepass File on Dropbox, so it's sync across your machines and is backed up.
* Sharing common credentials with a team - server login details, team site details etc - have a common Keepass File on Dropbox and share it with your team. Suggestion is to open it as "read-only" unless you're adding new entries.
* You can also have an additional layer of security by using an additional (optional) Key Locker File (besides the main password) to lock Keepass. You can have that on a thumb-drive or some place you know.
* One thing I really wish 1Password has what Keepass has is the auto-generation a password when you enter a new entry. One can set parameters of what password is generated. I have click to get that in 1Password.
P.S. If I remember correctly, Keepass even has a portable version.
If I may, I have a question that was inspired by using password managers.
Does anyone see any security issues with supporting on a website allowing the user name and password to be entered together in one field? The normal way of entering the user name into one field and the password into another would continue to work. The site would simply check and if the user name field content is blank, and the password field content has a space in it, the password field content will be assumed to actually be the user name and password together, separated by a space.
The idea here is that you'd then be able to enter both the user name and the password with a single copy/paste operation. This would be convenient when using a password manager on an iPad. I sometimes get tired of having to do this:
1. unlock password manager
2. copy user name
3. switch to browser
4. paste user name
5. switch back to password manager
(If using most paranoid security settings, insert another step of "unlock password manager")
6. copy password
7. switch to browser
8. paste password
If the website supported my single-field option, I could just set the password manager to stop the computer user name and password is the password field, and then it is only unlock/copy/switch/paste.
I believe that instead of messing around with a known standard (username + password fields), it would be better if web services would implement two-factor authentication. Password managers would become useless then, because you would be able to use simple passwords that you may remember, while being even more secure.
A while back I set off half a day to setup KeePass, not that setting up KeePass takes that long - but generating random passwords for all the sites that I use did. KeePass is great, there's an app for Windows Phone that is great and there is a third party plugin for Chrome that will both enter and help me save passwords when the vault is open.
Great software, everyone should be using password vaults.
Really want to start using KeePass on Android with an NFC token, but it looks like the YubiKey Neo might get a new version soon to support U2F. Anyone know if the U2F thing is worth waiting for? Don't want to spend $50 (probably £50) to find it's obsolete next week.
I started using KeePassX because it was a good cross-platform way to store my passwords. I'd had a couple cases where a password had simply gone -missing- for me, so I figured it was time to put all my eggs in one basket and try to not drop that. I figured it was less of a security vulnerability than reusing the same password a bunch of times. I've currently got the kbd file up on the internet at large, in case my house burns down. I figure it'll make HN if the .kbd files are ever found to be hackable, right?
It's a sort of wishful, hopeful approach to password security, really.
I have been using it since version 1. Unfortunately I have upgraded to KP2 which can't easily export/import to KeePassX which is what I want to switch to, mostly because I very rarely use Windows these days and when I do I don't really need my PW-DB.
I'm syncing it via ownCloud for as a testrun (https, non-US site) and it works fine. Not sure I ultimately want to do that via the cloud though. Might just switch to using a USB stick especially since merging DBs works pretty well.
I have this problem as well. For some reason KeePass 2.x (Windows, at work) cannot read KeePass 1.x databases and KeePassX on my Linux computer at home. So if I want to exchange between the 2, I have export from KeePass 2.x, so now I have 2 databases that are generally in sync, until I forget to export it.
So not ideal. I'm considering switching from KeePass 2.x to KeePass 1.x (currently 1.26, released in July of last year, so not too old) but I wish these applications would get their compatibility on the same level.
edit:
I wasn't sure if KeePassX had a Windows port -- it does and I downloaded it to replace KeePass at work with.
Installed it, seen "I understand that my encrypted data will be sent to LastPass" then uninstalled it. O_O Yeah, definantly better use KeePassX software. Passwords should never be stored online no matter how secure the service claims to be. Especially with recent revelations about all this privacy/security issues in USA. The KeePassX is still in alpha stages, the only availble stable linux version right now for KeePassX is v0.4.3
[+] [-] ghoul2|12 years ago|reply
Until I came across this: http://www.zx2c4.com/projects/password-store/
It is simply the easiest, most intuitive password manager out there. One of those things that, once you come across them, you wonder why it took so long for something this logical to come into existence. I am not associated with the project, but these are just a few things I love about "pass"
1. Command-line based: which means I can script it, I can run it remotely, etc.
2. Uses Git to store the passwords: full revision history, changelog, and remote push/sync features that git is SO good at. Other password managers have to reinvent that whole wheel and none seems to do a good job. This also eliminates the need for "hosted" solutions - which I just simply refuse to use.
3. GPG for password encryption: once again, such a natural, awesome way to do things. GPG is already the safest way practical way to secure data-at-rest. I can rest easy that no silly homegrown encryption system was invented. Also, as long as I have the keys, in the worst case I can do the decryption myself, if I do not have access to "pass".
The only thing I believe it might lack is the fact that the names of the entries are in the clear. Which means I cannot setup a github(private) repository as remote for my pass store: the passwords themselves would still be gpg encrypted, thus safe, but the repository will leak names of all websites and userIDs.
In anycase, kudos and thanks to the devs!
[+] [-] mrsteveman1|12 years ago|reply
And on the web, all the other password managers have browser extensions to autofill data from their own database, but every common browser already does password storage and autofill natively. So once I grab a password from pass the browser remembers it anyway, making extensions unnecessary.
Oh, and the other thing I LOVE about pass is that because it uses GPG, the key encrypting all the data can be held in a nice portable smartcard, since GPG supports them directly, and it all just works when my smartcard is plugged in. I use a yubikey neo with openpgpcard applet for this and it's been great.
I did start writing an OS X dropdown menu for accessing my passwords from pass, but I haven't been in such a hurry to get it done because it doesn't seem all that necessary in practice :)
[+] [-] revasm|12 years ago|reply
Consider encrypting the filenames with Fuse+EncFS. This flaw is pretty huge elsewise; it's why I changed to using gnupg.vim+SublimeGPG.
[+] [-] ygra|12 years ago|reply
[+] [-] BorisMelnik|12 years ago|reply
[+] [-] xr09|12 years ago|reply
[+] [-] hanru|12 years ago|reply
[+] [-] BCM43|12 years ago|reply
http://finestructure.net/assword/
[+] [-] dewiz|12 years ago|reply
Does anyone know if there is a lib to read and write into keepass archives programmatically, e.g. from a C# app? that would be quite useful to manage in an automated way some credentials for production systems, sharing tha archive via versioning repos in a team.
[+] [-] krapp|12 years ago|reply
Although since I am studying C#, VB and Java I would be interested to find out the answer to that.
[+] [-] dorolow|12 years ago|reply
[+] [-] hedwall|12 years ago|reply
[1]https://www.keepassx.org/
[+] [-] mikegirouard|12 years ago|reply
The source[1] is also on GitHub too. As a non-c++ programmer, I found it pretty easy to follow along.
[1]: https://github.com/keepassx/keepassx
[+] [-] avtar|12 years ago|reply
[+] [-] AceJohnny2|12 years ago|reply
This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].
However:
- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).
- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).
- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...
- The Android app just won't open the shared database.
So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.
[1] https://chrome.google.com/webstore/detail/chromeipass/ompiai... [2] https://addons.mozilla.org/EN-us/firefox/addon/passifox/ [3] https://play.google.com/store/apps/details?id=com.hanhuy.and...
[+] [-] magic_haze|12 years ago|reply
For android, I recommend Keypass2Android: it comes with a custom keyboard you can enable temporarily, which inputs your password without going through the android clipboard. I use it with the dropbox app as well, I'm not sure why it's not working for you.
[+] [-] grumps|12 years ago|reply
Personally, I don't like the idea of browser plugins and I'm perfectly happy using copy and paste.
[1]https://play.google.com/store/apps/details?id=com.android.ke...
[+] [-] jlgaddis|12 years ago|reply
KeePassX has similar "auto-fill" functionality as well. It's not as perfect or as seamless as LastPass but it is definitely usable (after a bit of one-time per-site tweaking in some cases). Having recently decided that using LastPass presents a non-zero risk, the extra effort I have to spend w/ KeePassX is certainly worth it, IMO.
Although I don't do it now, I have in the past kept my password databases in Dropbox. With Dropbox also installed on my iPhone, I am able to access my password databases use "MiniKeePass" on iOS without any issues.
In addition, there are Windows, Linux, and OS X versions of KeePassX and all of them can open up my .kdb files without any issues.
[+] [-] gibybo|12 years ago|reply
The algorithm is very roughly base64encode(hash(password + domain)), and then truncated to match your original password length.
The form on the site is just a demo (and backup if you need to use it outside of your own browser). What you really want is the extension (for most major browsers). You can type in the same strong password to every site and the extension will always hash it to the site specific password so you don't have to worry about them storing it poorly. You can also use unique master passwords for certain sites, if you so choose.
[+] [-] goatslacker|12 years ago|reply
* https://github.com/goatslacker/hash
[+] [-] sushirain|12 years ago|reply
* A site may be able to compromise the browser extension.
* You have to memorize several passwords because sites require different length passwords.
* The code has been reviewed less.
* A key-store like KeePass can store many original passwords, not just one hashed password.
* It doesn't have a non-browser app, so I had to copy paste passwords from the browser, while KeePass has Alt-Ctrl-A.
[+] [-] stormbrew|12 years ago|reply
[+] [-] goodside|12 years ago|reply
1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.
2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.
[+] [-] teacup50|12 years ago|reply
This is an unbelievably audacious security shell game; I can't really believe this nonsense idea has somehow managed to gain traction.
The server is ephemerally delivering the code that supposedly encrypts your content securely.
How do you not have to trust the host?
[+] [-] ariwilson|12 years ago|reply
Additional features: - It works offline. - You can import or export your passwords in CSV form. - If you choose to delete your account, it is immediately and irrevocably destroyed.
[+] [-] ScottWhigham|12 years ago|reply
The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.
[+] [-] brownbat|12 years ago|reply
It makes me wish there was an open standard for sites to negotiate a new entry with a password manager, something automatic in the background for new registrations.
Site could send password restrictions, like allowed and required character types, minimum length, even maximum length, though that last one would be frowned upon. The locker would reply with a preferred username and random password and add same to the database upon acceptance.
[+] [-] borplk|12 years ago|reply
[+] [-] da_n|12 years ago|reply
[+] [-] jwcrux|12 years ago|reply
[+] [-] snitko|12 years ago|reply
[+] [-] luckyno13|12 years ago|reply
At times, it contributes to what I call "log in anxiety" in that it necessitates opening the program, and inputting a password to get my other password. But no one ever said the extra security was synonymous with convenience.
And I dont leave it open, nor do I allow it to store any information in browser plugins as this seems counter productive to the sensitive passwords I use in this program.
[+] [-] Brajeshwar|12 years ago|reply
* Spend some time learning the Keyboard shortcuts and you're all set.
* Keep the Keepass File on Dropbox, so it's sync across your machines and is backed up.
* Sharing common credentials with a team - server login details, team site details etc - have a common Keepass File on Dropbox and share it with your team. Suggestion is to open it as "read-only" unless you're adding new entries.
* You can also have an additional layer of security by using an additional (optional) Key Locker File (besides the main password) to lock Keepass. You can have that on a thumb-drive or some place you know.
* One thing I really wish 1Password has what Keepass has is the auto-generation a password when you enter a new entry. One can set parameters of what password is generated. I have click to get that in 1Password.
P.S. If I remember correctly, Keepass even has a portable version.
[+] [-] 8bitpony|12 years ago|reply
[+] [-] tzs|12 years ago|reply
Does anyone see any security issues with supporting on a website allowing the user name and password to be entered together in one field? The normal way of entering the user name into one field and the password into another would continue to work. The site would simply check and if the user name field content is blank, and the password field content has a space in it, the password field content will be assumed to actually be the user name and password together, separated by a space.
The idea here is that you'd then be able to enter both the user name and the password with a single copy/paste operation. This would be convenient when using a password manager on an iPad. I sometimes get tired of having to do this:
1. unlock password manager
2. copy user name
3. switch to browser
4. paste user name
5. switch back to password manager
(If using most paranoid security settings, insert another step of "unlock password manager")
6. copy password
7. switch to browser
8. paste password
If the website supported my single-field option, I could just set the password manager to stop the computer user name and password is the password field, and then it is only unlock/copy/switch/paste.
[+] [-] mwww|12 years ago|reply
[+] [-] sushirain|12 years ago|reply
[+] [-] fekberg|12 years ago|reply
Great software, everyone should be using password vaults.
[+] [-] ParadisoShlee|12 years ago|reply
[+] [-] jrabone|12 years ago|reply
[+] [-] DDR0|12 years ago|reply
It's a sort of wishful, hopeful approach to password security, really.
[+] [-] mnicolosi|12 years ago|reply
I wouldn't recommend using it yet, but any feedback would be super helpful.
[+] [-] kriro|12 years ago|reply
I'm syncing it via ownCloud for as a testrun (https, non-US site) and it works fine. Not sure I ultimately want to do that via the cloud though. Might just switch to using a USB stick especially since merging DBs works pretty well.
[+] [-] cyphax|12 years ago|reply
edit: I wasn't sure if KeePassX had a Windows port -- it does and I downloaded it to replace KeePass at work with.
[+] [-] TuxLyn|12 years ago|reply
[+] [-] nkg|12 years ago|reply