Hacker News new | ask | show | jobs
by Arch-TK 1082 days ago
Weird.

I use pass as my password manager on all my Linux boxes (with a yubikey to store GPG keys and Password Store + OpenKeychain on android).

I basically refuse to use any password manager with an implementation I can't see or audit.

I can't imagine trusting any company to handle my passwords correctly.

The only proprietary component is the yubikey which is basically incapable of misbehaving in a way which would cause me to lose control over my passwords unless I lose control over the yubikey itself.
2 comments
ValleZ 1082 days ago
How do you know that the product you use was built from the provided sources?
link
nordsieck 1082 days ago
> How do you know that the product you use was built from the provided sources?

Maybe you haven't heard of pass[1], but it's an open source project, and it's easy to build from source[2].

---

1. https://www.passwordstore.org/

2. https://git.zx2c4.com/password-store/

link
Arch-TK 1082 days ago
It's 800 lines of bash. I can read it.
link
chkaloon 1082 days ago
Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.
link
Arch-TK 1082 days ago
Yes, pass is 800 lines of relatively straightforward bash and I am qualified to review bash. Now, granted, it uses GnuPG and git but in those cases I think the risk of problems is minimal.

I haven’t in all honesty read the Password Store android application (nor OpenKeychain) source code but I trust my phone sandbox capabilities enough for it not to do anything nefarious like send my passwords somewhere. Its also not so large that it would be hard to read it.

The point is, the operating principles behind how Pass works are simple enough that its relatively easy to verify the core of any implentation and relatively difficult to smuggle in nefarious behavior.

link
nordsieck 1082 days ago
> Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.

That's a fair point. I certainly haven't.

But the great virtue of pass is that it runs locally, which means that it's much more difficult to attack than a SaS password manager.

link
worksonmine 1082 days ago
I have, pass is just a bash script with <1000 loc.
link