[phoe-krk]

Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there. Uploading your whole password tree to a public repository is a bad idea for reasons explicitly mentioned in the article (i.e. pass does not encrypt metadata about the file/directory names, git stores all creation/modification/deletion dates and times).

[Brian_K_White]

"Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there."

Exactly what I told my Phillipino mother in law to protect her AOL account. I can't imagine why she doesn't do it.

[gggggg5]

What could possibly make you think that the guy who wrote pass (a git backed command line password manager) gives a shit about whether or not your "Phillipino" mother in law wants to use it?

[phoe-krk]

That's a strawman. I'm neither your Phillipino mother nor ever suggested that she should be doing this.

[Brian_K_White]

There is nothing invalid about the observation. (not a strawman)

[drpyser22]

The intended userbase of pass is clearly not non-tech-savvy/non-security aware philipinno mothers, so your remark is irrelevant.

[gruez]

>Use a VPS that uses SSH with key-based authentication, store the git tree of your passwords there.

I'm not sure whether that's actually better than storing it on github (or any other professionally managed git instance). Sure, you gain some security by obscurity (because your VPS isn't a juicy target like github is), but that's about it. If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github. I probably also expect github to do a better job at keeping their systems secure than an amateur sysadmin. In both cases the chance of getting hacked is fairly low, but the whole point of a password manager is that you don't have to rely on the storage service being secure to keep your passwords safe. If you need to rely on the storage service (eg. git server) to be not compromised for your passwords to be safe, then that kills a large benefit of using a password manager.

[yellowapple]

> If the FBI is after you, they can send a letter to your VPS provider just like they can send a letter to github.

And unless that VPS is in the US or provided by a US company, it's unlikely the FBI will get much of a useful response to that letter. Some countries' LEAs cooperate with the FBI and other American LEAs, but not all.

[phoe-krk]

The VPS does not have my private GPG key, stored locally, and hence cannot use it to decrypt the passwords.

[gruez]

Right, but if an attacker has access to the VPS, it can pull off the various shenanigans that's described in the OP? That's the whole thesis of the article. If you have access to the underlying storage of pass (eg. the git instance if you're using git to sync everything), then you can perform some attacks. The attacks aren't catastrophic (ie. attackers being able to decrypt your passwords with no intervention), but they're still pretty bad nonetheless.

[phoe-krk]

If the attacker has userspace access to my VPS or - even worse - my daily driver, then I have much bigger fish to worry about than. The attacker is then a single zero-day away from gaining root access and being able to keylog everything I input on my physical keyboard or send via SSH, at which point the issues mentioned in the article become meaningless.