← Back to context

Comment by enkrs

2 days ago

Browser password managers with passkeys are more convenient for me, but a pass vault can still be useful for recovery codes and API keys.

I used pass for a while but couldn’t see what threat model it actually solves:

If you let GPG agent cache your key, any script (e.g. an npm post-install) can just run `pass ls` or `pass my/secrets` and dump all your credentials. At that point it’s basically just full-disk encryption with extra steps—might as well keep everything in ~/passwords.txt.

If you don’t cache the key, you’re forced to type your long GPG password every single time you need a secret.

I tried a YubiKey for on-demand unlocking, but the integration is clunky and plugging it in constantly is a pain if you need passwords multiple times per hour.

I eventually switched to Bitwarden.

26 comments

enkrs

Reply
aborsy  2 days ago

That’s true for any password manager. If the database/store is unlocked (so the master password is cached or available in RAM), all passwords can be extracted. You have to lock the password manager when you don’t need it.

In fact, with Bitwarden, the cached password is exposed to the browser that has a large attack surface (including interacting with random remote servers). There was just a vulnerability in most browser based password managers including Bitwarden that would allow a remote attacker trick a user send out their passwords.

I use Bitwarden but mostly for non-critical passwords.

  • trinsic2  1 day ago

    Doesn't good 2factor minimize a large attack surface like this?

    I like the idea of storing password data in individual encrypted files and using git to store changes, but I wonder if it creates more friction to retrive the information. I havent tried this solution yet. I will when I get more time. It seems like this solution would benefit from a more standardized specification for storing and retrieving information. I known its not every persons cup of tea, but maybe some kind of separated add-on for streamlining this process could be beneficial.

  • charcircuit  2 days ago

    >That’s true for any password manager

    Modern operating systems isolate individual apps such that a malicous app can not access the RAM of another app. There is a difference between not making an effort to protect passwords and requiring an OS exploit to do so.

    • codethief  2 days ago

      Memory isolation doesn't really help, though. If you have a malicious process running under the same user account as your password manager, it's still game over since that process could e.g.

      - capture keyboard input - capture your screen - silently install browser extensions to capture your credentials - modify your shell config, .desktop files, $PATH, … to have you e.g. call a backdoored version of your password manager, or put a modified version of sudo on your $PATH that logs your password (=> root access => full memory access) - …

      10 replies →

    • aborsy  2 days ago

      The OS protections apply to all applications. In addition, the job of agents like gpg-agent or ssh-agent is to protect secret keys while they are cached (like preventing OS writing keys to swaps). You can configure them to erase keys after a certain time, require user’s confirmation for each key operation, store gpg keys in internal TPM or external hsm, and would talk to the agent through specific sockets.

      Unlike browser-based password managers, the agents don’t continuously interact with the browser code and remote elements (probably don’t have network access at all).

      One area that matters that I forgot to mention in my comment below is that, as a result of all above, Pass doesn’t check the domains and doesn’t protect against phishing. There might be extensions, but at that point, you might as well use keepassxc.

wkat4242  20 hours ago

I just leave my yubi plugged in. It requires a physical touch anyway (at least you can configure it for that which I have). And my place is physically secure.

The good thing also is that unlike with fido2 you only have to enter the pin once for OpenPGP. Then it stays unlocked while it's plugged in. But still needs the physical touch for every password. Perfect and convenient for me.

It also works great on mobile with openkeychain and password store. Both are not really maintained now but I don't really care because the encryption is in hardware anyway (yubikey over nfc)

kenmacd  1 day ago

If you can spare a USB port you can use one of their Nano keys that just stays plugged in.

Even if someone/malware was to steal my yubikey pin they'd still need to convince me to tap the thing over 1,000 times to steal all my passwords.

puffybuf  2 days ago

I store my passwords on an encrypted file partition sqlite database. My script grabs the pass and immediately closes the partition afterwards.

You can also just encrypt your passwords into individual encrypted files (one for each password) and have your script clear the gpg agent after a passfile is decrypted.

justusthane  2 days ago

> a pass vault can still be useful for recovery codes and API keys

You might already be aware of this, but Bitwarden also has a CLI client that can be used for this purpose, at least casually.

  • ggiesen  2 days ago

    And can run a local webserver to expose an API (though they still need to tighten up security on it)

eptcyka  1 day ago

You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key.

My main issue with pass is that it doesn’t work great on iOS with yubikeys.

  • froddd  1 day ago

    Is the biometrics step (fingerprint reader) on macOS much different from a ubikey? I imagine implementation may have some differences, but in practice it seems I can already protect access to my GPG key using the built-in reader, so what’s the advantage of ubikey in that respect? Genuinely curious.

    • eptcyka  1 day ago

      The TouchID is bound to a device - of course, I could copy my secret into a secure enclave that is only accessible through TouchID. Could even just store my GPG key there. With a Yubikey, I generate the key on an airgapped device and store it on the Yubikey. No other piece of hardware ever needs to see my secret key in plaintext. I could achieve the same with TouchID, generate the secret key inside the enclave, but then I cannot move the secret keys out without some other computer baring witness to that.

      I really do not want to give Apple any more leverage over me, I'm looking to minimize it.

yehoshuapw  2 days ago

it took a while to get it to work well, but I use yubikey here, and recommend it. I do need to find and pulg it in sometimes, but overall might leave it plugged in. and I have it configured to require a touch for every operation

komali2  2 days ago

I can't remember how but pass for me works in brave browser and Firefox, as well as on mobile. It's my only password manager. I'm assuming some browser plugin.

hkt  1 day ago

Is bitwarden in some way able to protect passwords while still being unlocked?