Hacker News new | ask | show | jobs
by cj 1079 days ago
This isn't a great answer, but I've never liked Chrome password manager because I feel like a password manager is something I want to pay a company for, not a service I want to be given for free. Somehow, it being a free feature that's bundled with my browser makes me not trust it. (Again, not claiming this is a great reason not to use it)
1 comments
Arch-TK 1079 days ago
Weird.

I use pass as my password manager on all my Linux boxes (with a yubikey to store GPG keys and Password Store + OpenKeychain on android).

I basically refuse to use any password manager with an implementation I can't see or audit.

I can't imagine trusting any company to handle my passwords correctly.

The only proprietary component is the yubikey which is basically incapable of misbehaving in a way which would cause me to lose control over my passwords unless I lose control over the yubikey itself.

link
ValleZ 1079 days ago
How do you know that the product you use was built from the provided sources?
link
nordsieck 1079 days ago
> How do you know that the product you use was built from the provided sources?

Maybe you haven't heard of pass[1], but it's an open source project, and it's easy to build from source[2].

---

1. https://www.passwordstore.org/

2. https://git.zx2c4.com/password-store/

link
Arch-TK 1079 days ago
It's 800 lines of bash. I can read it.
link
chkaloon 1079 days ago
Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.
link
Arch-TK 1079 days ago
Yes, pass is 800 lines of relatively straightforward bash and I am qualified to review bash. Now, granted, it uses GnuPG and git but in those cases I think the risk of problems is minimal.

I haven’t in all honesty read the Password Store android application (nor OpenKeychain) source code but I trust my phone sandbox capabilities enough for it not to do anything nefarious like send my passwords somewhere. Its also not so large that it would be hard to read it.

The point is, the operating principles behind how Pass works are simple enough that its relatively easy to verify the core of any implentation and relatively difficult to smuggle in nefarious behavior.

link
nordsieck 1079 days ago
> Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.

That's a fair point. I certainly haven't.

But the great virtue of pass is that it runs locally, which means that it's much more difficult to attack than a SaS password manager.

link
worksonmine 1079 days ago
I have, pass is just a bash script with <1000 loc.
link