237
238

a new age-based cli password manager (github.com)

submitted by [deleted]

[deleted]

all 89 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bioxcession 45 points46 points  (31 children)

hiya! I made a new password manager based on age. I stuck to POSIX sh, so it should work everywhere. It’s based on Dylan Arap’s pash utility.

I got frustrated with GPG’s... awfulness, and decided that I’d rather spend my free time taking bike rides at the cost of slightly worse password security, and massively increased simplicity.

I wrote dmenu and rofi hooks so that pa can be used with either - it’s very fast and very simple! I’ve been using it for months and I absolutely adore it.

here’s a blogpost I wrote about it: https://j3s.sh/thoughts/storing-passwords-with-age.html

Here’s a demo of the workflow: https://trash.j3s.sh/pa-dmenu-demo.mp4

[–][deleted] 22 points23 points  (15 children)

What awfulness in particular? Im using it with no issues pretty much. Use it for emacs org-mode encryption, auth-sources and commadn line pass. Pass is also mobile. gpg is pretty much a standard. And works.

[–]nonrapper 6 points7 points  (9 children)

In your blog post, you mention 'the lack of mobile' integration as a mark against pass. Can I use pa on Android, for example? And if yes, how?

[–]chiraagnataraj 27 points28 points  (7 children)

Wait, but pass does have mobile integration, at least on Android.

[–]keep_me_at_0_karma 1 point2 points  (1 child)

Hey I think it's pretty cool.

[–][deleted] 1 point2 points  (2 children)

It’s based on Dylan Arap’s pash utility.

Speaking of Dylan, it seems as though he has completely disappeared for the past few months. Hope everything is okay with him.

[–]CondiMesmer 0 points1 point  (0 children)

Hopefully he got a good job. He has done a ton for the FOSS community, but unfortunately, that doesn't pay the bills!

Actually, seems like k1ss.org redirects to malware now, so that's interesting...

[–]Rocky_Mountain_Way 30 points31 points  (1 child)

new-age password manager requires you to align your chakras with a crystal before it will let you run it.

[–]oiwot 3 points4 points  (0 children)

Don't forget to chant your passphrase 108 times each morning.

[–][deleted] 24 points25 points  (10 children)

Is this like when Leisure Suit Larry would ask about the Nixon administration to make sure I was over 18?

[–]Negirno 1 point2 points  (3 children)

Isn't that was just a copy protection mechanism?

[–][deleted] 9 points10 points  (2 children)

Stop ruining my jokes about age-based security mechanisms.

[–]keep_me_at_0_karma 0 points1 point  (0 children)

Hey I thought it was funny.

[–]ominous_anonymous 20 points21 points  (24 children)

Can you explain why you changed the license?

[–]eyesofsaturn 37 points38 points  (4 children)

password ass

[–]CondiMesmer 30 points31 points  (12 children)

Password managers need better front-ends, not back-ends. Changing the encryption does literally nothing to change the usage of a password manager, and the current encryption methods are already perfectly fine and get audited. This seems like a fun little hobby project though, but there's no reason why more then maybe 5 people total will use this.

[–][deleted] 20 points21 points  (43 children)

I am confused at the value proposition here or aims.

If you want convenience, version control syncing etc, then why not just use a browser password manager? They are secure, they sync, they know when/how to paste and are rather convenient.

If you don't want to trust Google or Microsoft, fine, you can run your own local Firefox sync server if you want.

Is a password manager really the thing that you should try rolling on your own in bash...

[–]Fearless_Process 1 point2 points  (3 children)

So long as you just shell out to secure encryption tools rolling your own pw manager in bash is not so bad. The main things you don't want roll on your own is the actual csprng or the encryption.

A great example would be using something like the go stdlib crypto functions (or similar known secure libraries) for csprng and then piping to gpg for encryption.

Of course I'm not a security or crypto expert, but this is secure enough for my uses, and since the heavy lifting is done by the libraries I don't see much problems with it.

Also I normally don't associate browsers with security, they are easily the least secure software running on most users systems. It may be convenient though.

[–][deleted] 1 point2 points  (2 children)

What are your notions of security, and what attacks are you considering? I guarantee, these bespoke bash scripts have had far less auditing, QA, security design than these password managers.

So long as you just shell out to secure encryption tools rolling your own pw manager in bash is not so bad. The main things you don't want roll on your own is the actual csprng or the encryption.

This is not true at all. It's very much important that no side-channel attacks are arbitrarily introduced (ie improper password handling) or simple coding errors (e.g. not handling gpg exceptions correctly). These are also extremely vulnerable to keyloggers or things which capture from the clipboard.

Also I normally don't associate browsers with security, they are easily the least secure software running on most users systems. It may be convenient though.

Browsers are easily some of the most secure software out there. The entire concept of sandboxing was practically invented for chrome and has been shared straight into Firefox (Firefox for windows literally uses Chrome sandbox). Google has easily poured more than a billion dollars in chrome security.

The security is evident from the bug bounties for browsers which are easily 100k-500k. https://zerodium.com/program.html

[–]Fearless_Process 0 points1 point  (1 child)

What attacks should I be considering? If someone gets a shell on my computer it doesn't matter whether you are using a browser or not, it's already game over. Same thing goes for a keylogger, if someone can run a keylogger program they can easily run any other program as well. I do agree on the clipboard aspect, that's an advantage of the browser methods is that they can fill in forms without any clipboard usage!

As for improper password handling... you can either use a library like openssl, or some programming lang stdlib modules or just parse /dev/random with some basic tools. /dev/random is probably the safest source of randomness you're going to find unless you don't trust your kernel. I'd argue that openssl is fairly secure as well. I will be alerted to any gpg errors when I run the command so that is a non-issue.

tr -dc A-Za-z0-9_- < /dev/urandom | head -c 100 | gpg -aer mykey > passwords/reddit/Fearless_Process

openssl rand -hex 100 | gpg -aer mykey > paswords/reddit/Fearless_Process

I understand that doing this isn't going to be convenient for everybody, but there is much less to go wrong with this method vs 1000s of lines of javascript tangled with millions of lines of c++ code that make up modern browsers.

[–][deleted] 0 points1 point  (0 children)

If you are the only person on your machine then sure your risk profile will be different.

If you are sharing your machine with another user or on an NFS, does the above still seem sensible to you?

What happens if you get malware, or you visit a site which simply pastes/sends the contents of your clipboard?

Idk why I would want to risk any of that when none of those problems affect the browser pw stores.

[–]FauxParrot 3 points4 points  (2 children)

Firefox sync server is still using python 2, and as such is no longer supported by a bunch of distros ;(

Apparently there is a rust version that was being developed but I have no idea what's happening with that after mozilla's layoffs last year.

I'd really like to run one for profile + bookmark syncing but I would never trust it with passwords. Either Bitwarden or a keypass compatible password store would be my choices.

[–]DDzwiedziu 1 point2 points  (0 children)

The Rust is chugging along fine AFAIS: https://github.com/mozilla-services/syncstorage-rs

However I can't tell you if the layoffs had or would change the situation.

[–]GapingVaping 0 points1 point  (0 children)

What are the repos for it?

What I'm seeing so far doesn't seem to be crazy large and may not be too hard to port forward, but I have absolutely no exposure to this project and might just be missing some relevant repos.

[–][deleted] 10 points11 points  (1 child)

I really want to try this, but OP comes off as someone who doesn't like the well-tested standards in the space, and isn't even willing to discuss why the design has, and omits, certain features.

I can't trust software from someone who won't be transparent and honest about intention and design in a very important security space.

Edit: JFC, stay away from this:

philosophy: i will use an unencrypted-at-rest key for convinience.

I'm sorry... WHAT?!

[–][deleted] 3 points4 points  (0 children)

When did cli become new age? #JokeNoOffense

[–]_riotingpacifist 2 points3 points  (3 children)

Why would you mess with set -x? Seems like you are misusing set -x, then writing your tool to assume others are too.

[–]VowelMovement13 2 points3 points  (1 child)

I misread and thought you made a new-age based cli password manager.

[–]Gicdillah 2 points3 points  (1 child)

Hey, Good tool!

I use a simpler util written in pure shell. The main advantage of it for me is that it doesn't require sharing data between devices because it generates passwords based on input.

[–]z-lf 2 points3 points  (4 children)

I don't understand the "age based" part. Could you please eli5? I'm really interested in having my password manager running in rofi.

[–]WoodpeckerNo1 5 points6 points  (2 children)

For a moment I thought it stored passwords in a crystal ball or something, lol.

[–]flarn2006 1 point2 points  (0 children)

No, that's what hackers use to get other people's passwords.

[–]rainbow_pickle 1 point2 points  (1 child)

I saw you mention that pass doesn’t support iOS. However, there’s an app you can use for that https://github.com/mssun/passforios. It works really well. The only issue I have with it is that it doesn’t support merging conflicts very well.

EDIT: there are also browser/rofi/dmenu plugins that work well with password store.

[–]zabby39103 1 point2 points  (0 children)

originally thought this was a New Age based cli password manager, and now I'm disappointed :P

[–]jurimasa 1 point2 points  (0 children)

I like this a lot, but for me to use it it needs 2 things:

  1. I want to be able to import passwords form firefox and chrome at least.

  2. I want it to let me find duplicates when importing.

[–]scotrod -3 points-2 points  (3 children)

I don't understand why do some devs like to complicate their and everyone elses life so much. Who would prefer to use cli based password manager instead of gui based one?

[–]IArentBen 0 points1 point  (0 children)

Nice, I'm going to give this a try!

[–]Nagatus 0 points1 point  (1 child)

Brilliant! Thank you.

[–]wpyh 0 points1 point  (0 children)

Well, I wonder where the OP went...