Managing passwords, securely

If the news out of LastPass has you looking for another service, have the alternatives given you a lot of confidence? They sure are asking for a lot of trust…

For folks wanting another option, I’ll share how I’ve self hosted password management happily for years.

Who is this method for?

This is for people motivated to leave online password management services because of security or privacy concerns.

The adventurous and those with some knowledge of GPG and git have a good chance of success. I acknowledge these tools can seem intimidating and that learning them is a time and energy investment. I’ll link to guides and other resources to help you get set up, so this will be just short of a how-to.

How does it work?

Pass is a tool that “stores, retrieves, generates, and synchronizes passwords securely”. It leverages tools I already use and that are widely regarded as reliable—gpg and git.

I like that with GPG, I’m in complete control of the encryption that pass uses to secure passwords. Git, likewise, allows me to store the passwords in any Git repository rather than be bound to any one cloud provider. The flexibility these afford is why this method stands out from proprietary offerings.

The decrypted contents are plaintext, too—there’s nothing special about the files pass uses, so I can store whatever I want. It’s conventional to put the password on the first line for convenience, but the lines after that can be anything—username, secret questions, notes, etc.

Here’s what I did to set it up:

  1. Install and set up gpg
  1. Install and set up git
  1. Install and set up pass
  • Set which GPG key to use for encryption
  • Add git repository
  1. Import passwords
  1. If using a git remote, push everything up so it’s accessible to your other devices
  2. If your data was exposed, this is a good time to start resetting passwords
  • Log in to a website, app, service, etc.
  • Generate a new password with pass (refer to help for generate with the --in-place option)
  • Do a password reset with the new password
  • Reset a few every day if you have a large number of passwords

I also want access to my passwords while away, so I use the iOS app. I actually find it more convenient to grab passwords from my phone and use Handoff to paste them into forms on my mac. Getting the keys in place on iOS was challenging, but there’s a solid guide for multiple ways to do this.

The documentation for GPG and Git are comprehensive and well-maintained. Check those out, too.

What’s next?

After setup, usage is a breeze. With git enabled, it’s possible to use pass in many of the same ways as LastPass, 1Password, or the others:

  • Synchronization: push commits to a private git remote you’ve set up on any of the online services like GitLab, GitHub, BitBucket, or your own; pull the changes down on another device.
  • The base experience is a command line interface. You can also use a GUI.
  • Using one of the mobile apps, it’s also possible to get one-time passwords for 2FA. When enabling 2FA for a service, use the app to scan the QR code. Unlike most “authenticator” apps, you retain the secret key in a pass file. Add the recovery codes to the file, too.
  • Pass for iOS hooks into autofill, so it’s easy to log in to sites without having to switch to the app. If you have iCloud Handoff, you can copy a password from the app and paste it into a login form on another mac.

Adjusting to Pass' system is quick—many of the concepts translate well. You’ll also have the satisfaction of having set up a secure, portable, open source system for maintaining strong passwords—yay! ✨

Resources

Patrick Walsh @mossymaker