Honestly, when I first started working on mypass, I wasn't aware of "pass".
Anyway, one issue I have with "pass" is that it leaks metadata, as it uses the file system to organize different credentials, while only the files storing the credentials itself are encrypted.
Also "pass" uses GPG for encryption, which can provide additional security if you store your private key on an external drive or smartcard, and take additional measures to make it more difficult to obtain access to your password store and private key at the same time. But in the more common setup where the password store is stored along the private key on the same device, cracking your GPG passphrase will require less computation than cracking a passphrase using PBKDF2 with 256,000 iterations like used for key derivation in mypass.
That's awesome. I'm looking forward to any feedback. Not sure for how much longer I will keep monitoring this thread. But you can reach me either by filing issues on GitHub, or if you could at least drop me an email at sebastian.noack@gmail.com and share your feedback I would much appreciate it.
Anyway, one issue I have with "pass" is that it leaks metadata, as it uses the file system to organize different credentials, while only the files storing the credentials itself are encrypted.
Also "pass" uses GPG for encryption, which can provide additional security if you store your private key on an external drive or smartcard, and take additional measures to make it more difficult to obtain access to your password store and private key at the same time. But in the more common setup where the password store is stored along the private key on the same device, cracking your GPG passphrase will require less computation than cracking a passphrase using PBKDF2 with 256,000 iterations like used for key derivation in mypass.