November 30, 2019

My Password Manager - gopass

In our digital lives we create a lot of accounts – and with these accounts come a lot of passwords. If you are like me, then you want to keep these accounts safe. I used to be the kind of person that used one password for every single account. I didn’t know any better. I didn’t know how terrible of a place the internet could be.

When I was younger I didn’t really have anything on the internet that was of value to anyone else. But then I started making my own money. And with my own money came my own debit card. And with my own debit card came making purchases online.

So now my debit card and bank information is online. I still think nothing of this. I’m a stupid, young kid. Why should I care? But then I started hearing about all these different data breaches. I start hearing about how people’s information is being stolen and I start reading about password managers.

For those of you who don’t know, a password manager is a service or app that stores all your online passwords for you so that you don’t need to remember them all. But what I believe is most important is that a lot of these password managers have the ability to generate random passwords for all your different accounts. This is super important! Now you have no excuse for using the same password over and over, again and again.

My Password Manager Journey

I’ve used many different password managers over the years. I started off with 1password becasue it (at the time) was geared more towards Mac and iPhone users. I liked it, but the applications weren’t free. But it got my toes wet in the world of password managers. I used it for a few years but eventually switched over to LastPass. I liked that LastPass had free apps and browser extensions, and I eventually got a job working for a company that gave all of the employees Premium accounts. So that was great! Until I left the company and they immediately deleted my account (which had the pass phrase to my BitCoin wallet. Now all that BitCoin is forever lost). I still used the normal version of LastPass for a while after that, until I started to become really interested in Open-Source Software. I wanted a password manager that was free and open-source. That way I could know if there was anything fishy going on in the software, and I just like the idea of open-source. That’s when I discovered Bitwarden. I personally love Bitwarden. It’s open-source. It’s completely free. It has really nice apps and mobile support. It’s encrypted. It syncs between devices. It has really nice autofill with Android. I’m still a really big fan, and if I were to recommend a password manager for the “normal” non-nerdy person, I would 100% recommend Bitwarden. But this post isn’t about. This post is about what I’m currently using. And what I’m currently using is gopass.

What is gopass?

I’m glad you asked!

gopass is a simple but powerful password manager for your terminal.

Gopass is a rewrite of pass, the standard unix password manager, but written in the programming language go. The below quote from the pass website sums up the philosophy of both pass and gopass:

Password management should be simple and follow Unix philosophy. With pass, each secret lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the secret. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

gopass is basically pass but with some extra features. I’m just going to paste the table from the gopass website below showing the comparison between pass and gopass.

Feature pass gopass State Description
Secure secret storage stable Securely storing secrets encrypted with GPG
Recipient management beta Easily manage multiple users of each store
Multiple stores beta Mount multiple stores in your root store, like file systems
password quality assistance beta Checks existing or new passwords for common flaws
Binary support alpha Special handling of binary files (automatic Base64 encoding)
K/V and YAML support alpha Special handling for Key/Value and YAML content in secrets
password leak checker alpha Perform offline checks against known leaked passwords
PAGER support stable Automatically invoke a pager on long output
JSON API stable Allow gopass to be used as a native extension for browser plugins
Automatic fuzzy search stable Automatically search for matching store entries if a literal entry was not found
gopass sync beta Easy to use syncing of remote repos and GPG keys
Desktop Notifications beta Display desktop notifications and completing long running operations
OTP support (✔) stable Generate HOTP/TOTP tokens based on the stored secret
Multiple Crypto Backends alpha Extensible crypto backend support (GPG, NaCl)
Editing Recipients per Secret beta Select recipients per secret when encrypting
Extensions Extend gopass with custom commands

Now, if I like Bitwarden so much, why did I switch to gopass?

Well, I’m a big dork. I like nerdy things. I like things that make me feel like a H4X0RM4N. With that extream nerdyness comes my love of Linux and the Linux Terminal. I like command line interfaces becasue they look hella nerdy and fun. I don’t know. I’m just a dork, okay?

But the main reason was that I don’t really love the idea of some company having control of all my passwords. Now I know that all of the passwords I saved to Bitwarden are encrypted and they probably aren’t able to look at them whenever they want. But I wasn’t 100% sure. With gopass I am 100% sure, because it uses my own personal gpg keys. No one else has these keys. They live soley on my computer and phone and nowhere else. I am in complete control. All of my passwords are saved in their own file. They can be sorted by directory and they live on my computer. “But Chance, don’t you no longer have sync capabilities since the files are in the computer?” Actually I do! pass and gopass are set up to sync all the encrypted files with a Git repo. I have mine saved to a private GitLab repo. But even if it wasn’t private no one would be able to read my passwords since they are all encrypted with my secret gpg key that only I have!

I’ve only recently started using gopass but I already really like it. It works on all my devices, my Linux laptop, my Windows desktop, and my Android Phone. I will say however, the Android experiance hasn’t really been awesome on Android 10. The password-store app doesn’t seem to work with the native Autofill that Android Pie(?) introduced. But other that that I like it. The browser extension works perfect with Brave on both Linux and Windows. I think in the future I’ll write a “how-to” style post with what I did to set up gopass on my different devices, but this is just a post about my password manager of choice.

Hope this has been an interesting read, and if you have any questions, feel free to leave a comment below or contact me on Twitter or XMPP.

© Chance Monnette 2019

Powered by Hugo & Kiss.