Pass uses gpg along with the filesystem and git, so it is lightweight, and super-easy to backup offsite, as long as you guard your gpg keys separately. For those who want a GUI, QtPass[2] provides a simple GUI while using pass in the background.
The whole source code of bash pass [1] is almost as long as a single header file [2] from this C++ software. Plus pass already handles backup... Minimalist heh.
[1] https://git.zx2c4.com/password-store/tree/src/password-store...
[2] https://github.com/JFreegman/SpicyPass/blob/master/src/spicy...
tl;dr different strokes for different folks. I didn't write spicypass with the intent of replacing pass.
One difference I see between this and pass is that spicypass is storing all the credentials in a single file. If you don't want to leak metadata with pass you have to add pass-tomb[1].
Anyway I just use pass (gopass actually) and I have no problems, it's a great improvement over a text editor.
[0]: https://github.com/dylanaraps/pash
[1]: https://git.sr.ht/~seirdy/dotfiles/tree/master/.config/shell...
And for the life of me I can not get it to prompt for the password in the terminal, which is infuriating.
First glance of SpicyPass looks promising in my eyes.
[0] https://play.google.com/store/apps/details?id=com.zeapo.pwds...
I personally use Bitwarden, also because it's free and open source software, and because the cloud managed option is $10 / year. I've found the GUI to be very well-made for a heavy keyboard user like me. I also second a curses-based terminal interface for password management, I think it'll be really useful!
With a requirement to pay extra $5 on your server instance monthly for more memory to self host the official version, you'll be paying a lot more than $10/year.
That being said, I use Bitwarden and it's great.
If you build a great product people need, it's not a headspinner why people would use it and buy it. Hopefully going into this recession we'll see more products with that lesson baked in.
Run the bitwardenrs container without SSL:
sudo docker pull bitwardenrs/server:raspberry
sudo docker run -d --name bitwarden --restart always -e ADMIN_TOKEN=your_admin_token -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:raspberry
Proxy through Caddy (note that I'm using DuckDNS for DNS):
curl https://getcaddy.com | bash -s personal tls.dns.duckdns
nohup caddy -http-port 999 -conf /etc/caddy/Caddyfile -envfile /etc/caddy/CaddyEnvFile -agree -email YOUR_EMAIL@gmail.com &
(the port 999 is because we've already got docker container running on port 80)
Follow the examples here for the configuration: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examp...
Instructions here: https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-compan...
Bitwarden also has a CLI, so it's probably do-able to create something like this.
I built envwarden[0] on top of the CLI, which lets us manage our server secrets with Bitwarden.
So one of the main differences is that spicypass is setup-free. You just pick a master password and go. It achieves this by using symmetric encryption via the libsodium library. A nice side-effect of this is that backups are as simple as copying the .spicypass file to your backup device/server. With asymmetric encryption you have to worry about backing up your private keys in addition to the store file(s).
Another major difference is that it has an idle lock. Even if someone has root access to your machine and you leave it unattended while spicypass is running, they won't be able to see your passwords (assuming there's no keylogger involved).
There's also the minimalist aspect. pass has a lot of features that I personally don't need and consider to be bloat. I designed spicypass to my own personal specs: A very simple notepad-like interface, but secure. I figure I can't be the only one who thinks all the bells and whistles that most password managers have just get in the way.
When I want to push to a git repo and authenticate with my private key, I just run git push normally, and a pin-entry prompt comes up, and I just need to enter my master password. Similarly, when I want to use a stored password for logging into a website, I just click the passff extension and enter my master password into the pinentry program. It would seem like something like spicypass would just bloat my system, requiring multiple programs for authenticating in different ways.
I can understand the drive for minimalism, but I can't see any reasonable metric by which pass could be seen as bloated - it provides a small set of features that are important for a password store and nothing more.
Given SpicyPass doesn't have that, I think I'll still be with Pass, because it's free and simply amazing.
I absolutely understand why this might turn some people off, maybe even most people. But I know that there are people (like me) who want something that isn't connected to the cloud, and isn't going to inherit all of the security flaws of their browser.
Specifically, I love the fact that I can configure otp and depend less on my phone.
Those features make it the best password manager for me
I'm curious to see a comparison.
I need access to passwords from my phone so I'll stick with KeePassXC, but nice project! This makes me want to play around with lib-sodium, the API looks nice.
Though this isn't set in stone if someone wants to formally correct me.
And libsodium is indeed a pleasure to work with.
If you use passwords of a small enough size that this would really be a problem (like four digit PINs or your "aaaaA1!" example) then your password isn't delivering adequate security against brute force and so you've definitely lost.
If you use passwords that are big enough to make brute force impractical anyway then this "feature" will never make any real difference and is just a waste of time at best, and since it adds complexity it's another place to hide bugs.
Having a PwnedPasswords check (not this silly "repeating characters" test) makes sense if you allow users to enter passwords. Whereas if you generate passwords of decent length and at random then they're random so there's no purpose in checking them.
edit: they do!
I still think pass is the best password manager for Unix-like systems.
It lets me use multiple keys using GPG. It's simple and minimalistic. It allows for integration with 3rd party web GUIs you can expose on your home LAN and access with a VPN from your cellphone.
Also, I was a long time 1password user, switched to my current setup after 1Password moved to the rent-seeking subscription business model with 1Password 7.
In terms of convenience, it’s even more convenient than using 1Password. The only minor hitch is having to key in the PIN for the Yubikey if I haven’t used it for a bit.
That said, barring an audit by a respectable security firm, I think a lot of eyeballs on an open source project who can confirm that the implementation is correct is the most important thing. For that reason, I don't plan to switch away from Keypass in the near future.
>The string produced by crypto_pwhash_str() already includes an algorithm identifier, as well as all the parameters (including the automatically generated salt) that have been used to hash the password.
https://libsodium.gitbook.io/doc/password_hashing/default_ph...
Simplicity? Written in C++?
What I'd love is a Tui "curses" interface to keepassdb with quick vim like navigation. GUI is both too heavy and not too keyboard friendly.
In fact, unless there's a specific (and specified) reason, all password managers should be based on the somewhat de facto standard of keepassdb
Just be careful about leaking to .viminfo file. :)
