[iudqnolq]

Highschool me fucked up pass and exposed a lot of data. It was entirety my own fault, but there are footguns if you don't fully understand the model.

Essentially, I accidentally publicly exposed my private key. I thought I was clever for writing a Python script to dump all my passwords and then re-add them after setting up pass with a new key.

A year later, when I accidentally deleted my private key (reformatted laptop, phone bricked before set laptop back up), I spent a few hours trying to figure out if I made a mistake that would let me recover my passwords. I was very motivated :)

Eventually, I realized that since I'd been using git to sync pass between my phone and computer (the recommended setup) I could access versions of my encrypted data for every account more than a year old and decrypt them with the private key I leaked. I got back almost all my data.

Luckily I was using a private git repository for defense in depth, but many guides recommend a public reposity because they say gpg is very strong.

It all works, but only if you don't do something dumb like I did. Now I'm on 1password and happy knowing that experienced people are paid to make it and smart security researchers like Troy Hunt (of haveibeenpwned fame) have said it's the most secure password manager they've looked into.