PASS: a Password Manager & Two Factor Authentication (OTP) with no Cell Phone
HTML-код
- Опубликовано: 10 ноя 2020
- Usually I just remember my passwords, but the program pass is very nice for storing many passwords, calling them in scripts, inserting them from a dmenu prompt and more. Crucially, with the pass-otp module, it can also do Two Factor Authentication (2FA/TFA) AKA One Time Passwords (OTP) where you use a 6-digit-password that changes every half a minute or so. Usually, normies use a cell phone for this, but you can actually just have pass do it on your computer. I actually have a dmenu prompt that gives me a list of all my OTPs to insert, and it automatically generates the six-digit password.
Pass will be in your distro's package repository, but here's the site.
www.passwordstore.org/
pass-otp is probably also in your repository, but here is the Github:
github.com/tadfisher/pass-otp
Note that I also use the program zbarimg to convert a QR code into text that we can feed into pass-otp. It will be in your distro's package repo too.
Pass uses GPG to encrypt and decrypt your passwords, so I also talk about making a GPG key pair. You can have your GPG unlock automatically on login with pam-gnupg:
github.com/cruegge/pam-gnupg
WEBSITE: lukesmith.xyz 🌐❓🔎
DONATE: lukesmith.xyz/donate 💰😎👌💯
OR affiliate links to things l use:
www.epik.com/?affid=we2ro7sa6 Get a cheap and reliable domain name with Epik.
www.vultr.com/?ref=8384069-6G Get a VPS and host a website or server for anything else.
brave.com/luk005 Get the Brave browser.
lbry.tv/$/invite/@Luke View my videos on LBRY. Get a bonus for joining.
www.coinbase.com/join/smith_5to1 Get crypto-rich on Coinbase. We both get $10 in Bitcoin when you buy or sell $100 in cryptocurrencies. 
Наука
You didn't mention that it can generate random passwords that are orders of magnitude more secure than what someone could just make up. I use all generated passwords. I'm so secure that I even generated my GPG key pair password and now I am locked out of everything. Trust no one, not even yourself.
That's the ultimate security.
The end user is always the problem. I’m looking at you Klayperson. 👀
You can generate passwords via `openssl rand -base64 ` and piping that into `tr -c -d '[:alnum:]'`, sed or whatever you want to leave only alphabetic and numeric characters in your password. You also can generate all that by yourself with a simple python script or C program, or even with a shell and some standart posix tools and /dev/random.
😂😂😂
OMG it’s been so long since an upload I was getting withdrawals for not consooming
Oh no, Luke is uploading videos constantly, he became a normie
Ad revenue really break a nigga.
"I'm thinking of snipping my internet"
I recommend integrating git into pass. You will always be able to go back and view old passwords, and it makes it easy to clone and share with other machines. Once it's set up, pass will automatically create a commit for each password you insert. And as someone else mentioned, there is a generate pass word option which is very nice. Once last thing, you can use -c to copy to your clipboard and it will disappear in the amount of time you set in your .rc file: `export PASSWORD_STORE_CLIP_TIME=145` (seconds)
0:14 "devoid of junk"?
Unaboomer trying hard to not say the B-word
I was literally getting into Pass yesterday and today you upload this
IMMA HAVE TO GO GET MY TIN FOIL SUIT
Pass also has a bunch of frontends for your browser / desktop which may be of interest. Passff is the Firefox extension and pass menu is a desktop agnostic dmenu implementation
Good to see you’ve went back to your old thumbnail style
been using pass for the pass year or so. lovely little thing
THANK YOU-- great video--- I needed this.. everybody else gets longwinded and goes through a bunch of crap I don't need.. you get right to it and say simply what it is which I needed!!!!!
Just a few extra notes on pass and pass-otp:
Pass-otp can retrieve your otp code from anywhere in the password file, so you do not need to keep the otp in a separate file. I put my otp code in the same file as my password.
You can make your own extensions for pass, they are basically just shell scripts that go into the ".extensions" dir. I have a few, such as an extension to get the "nth" character of a password.
Didn't know about passmenu and otp
thanks!
This very well helpful along with your other content, but I guess sometimes we need to have a portable option for our passwords, like sometimes on phone or anything, or when we are away from our home linux system
Hey, Luke! pass-otp is nice, but inherently flawed. It's not secure way to use 2FA, because it's basically all eggs in the same basket, which defeats whole purpose. Same problem with pam-gnupg.
And also quick side note: you can use pinentry-curses to unlock gpg without GUI.
Isn't the point of otp for 2FA to provide the security of having a separate device in your possession and therefore having it on the same machine as you are entering the password flawed? (Love your videos. Big thank you)
OpenKeychain with PasswordStore uses pass and can synchronize across multiple devices using git. Worth checking out if you have an Android device (make sure to install using F-Droid and not the Play Store)
Why not play store?
Asking for a friend😐
@@maxim1152 Play store app versions don't typically track the later versions of the applications provided on F-Droid. Its not a replacement app store, just one for free and open source applications.
Great video as always! Could you also cover the official browser extensions for pass (like PassFF for Firefox) and where to get the the otpauthpath for a specific web-site? I don't have qr codes for my usecase, only the numbers
Yes, this looks so cool but 2FA has to be kept on a different different device, otherwise it’s not “2 factor”. That’s why you shouldn’t use Authy on your PC, the concept is that if somebody manages to steal your PC, he also has to steal your phone. In this way, the layer of security is much higher. As long as you store passwords with it, I’m fine with that, cause apps like Bitwarden or keepass do the same thing. But that OTP feature is really insecure and counterproductive
Yep, it's basically "cheating" 2FA and reducing it to 1FA for the sake of convenience.
then where should I keep my OTPs? if I keep on phone, it becomes '1 factor' but PC 2fa, and if I keep on PC phone becomed 2fa and pc 1FA.
how do u suggest to solve this? buy different phone/pc?
i feel like you do not understand the fact encryption is involved here. This whole fascination with multiple unique physical devices in order to protect against unauthorized physical access is so completely overrated. Come take my physical machine..... I invite you. Good luck getting past LUKS just so you can start the fun of trying to compromise my encrypted private key. Meanwhile, I'll be up and running within a few minutes after I've riced another box based off a copy of my encrypted key pair along with scripts I maintain on my encrypted usb thumb drive. The mass adaption and defacto work flow of "2FA" is so grossly ignorant in that it completely disregards convenience and usability in order to appease the illusion of security. Hell, most of the "2FA dolts" who blindly adhere to the typical rituals you're talking about are running Windows or OSX.......... in other words, they're running a non-free OS completely under the control of a 3rd party they've NEVER met or contracted with. LOL. Also, If 2 devices is better than 1, why not 10? or 20? Hell, we can just sit around all day authenticating to this and that, never getting any actual work done. Also, good luck getting yourself back up and running when you lose your physical secondary device you've allowed to be so forced into your workflow. Yea, I know............ recovery keys........ sure, I get it. Good luck just the same.
Great content. I didn't know otp. Could you explore more about gpg? Like create subkeys, extract one subkey to each purpose (home/work), remove the master from the subkeys, yada yada.
better be worth it, watched 2 etoro ads for this
The otp URL "thingy" is the "Key URI", as defined at github.com/google/google-authenticator/wiki/Key-Uri-Format. :)
Yes, yes, yes! I was waiting so long for a video about some password manager. Now if you only recommend some backup program…
cp, rsync...
@@LukeSmithxyz + cron, inotify (or if you dont mind, through entr)
@@LukeSmithxyz Ok. But if I'd like to back up only certain directories and have snapshots of them over time. I tried to have a git repo in my home directory, but it kinda messes all of the others git repositories I have.
BorgBackup
Borg and optionally borgmatic does what you want. Along with client-side encryption.
Hey man thank you for all your nice video I have question to you; what if we use a phone without sim card and that never connected to wifi as ledger password manager? What is your thoughts about it! Thank you.
if you are bloated with accounts keepass is a better alternative
didn't know pass is capable of otp. thanks!
My first password manager and probably the last I will ever use. So useful and simple of a program. Some additional stuff it can do:
'pass generate mynewpass [X]' generates a password of length X instead of asking for inserting one. Default length is 20, I think. Use -n flag to generate an alphanumeric password.
It has integration with git. It autogenerates commits when things change in the password store, and 'pass git' works like 'git' for the password store repo from anywhere. I only ever need to use 'pas git push' and 'pass git pull'.
The flag -c puts the password in your clipboard instead of printing it. Useful for pass on mobile phone through termux, for example.
If the name of the password to add contains a slash it will put it in a folder. Might be useful for organization purposes, but makes longer names.
With good folder structure and passmenu the longer names are helpful to search in my passwords, I set passmenu to be multiline and have around 20 lines, so it is very nice.
I'm curious about your opinion on key security. You mentioned that you use `pam-gnupg` to unlock your key automatically, but I've always been wary of those kinds of things. Even if it's set with a timeout of an hour, or even less, I generally use my SSH and PGP keys so often that they can be open for a relatively long time. Especially without any way for me to know when something is attempting to access my key, and for me to securely confirm that the operation is authorized. I have a physical button to confirm on my smartcard, and I even didn't use a system-wide ssh-agent until I recently found out that it has a confirmation dialog that can be enabled - I resorted to typing out a long password (~5sec) every time I wanted to use it.
Sure, I think understanding the threat model is important, and I acknowledge that the actual risk of anyone performing such a targeted attack on my system is very low (at least in ; who knows down the line what I might be hunted down for.) Despite that, I think the additional security and peace of mind is worth the minor inconvenience of confirming a dialog or pressing a button.
I watch Luke because of the strong opinionated content.... so refreshing from the wishy washy content out their that says something like "if you like you can try this but if not all good nothing bad will happen"
Best opening from Luke "In this video I'm going to talk about the only password manager that ever matters..."
🥺
Agree. I would rather listen to people's strong opinions on such things as password manager then on politics
This is only valid if you're looking for entertainment and not accurate information. Opinionated people are often wrong.
@@abuttandahalf Of course, that's just your opinion though. Interesting.
Interesting; looks like some more applications are going to be put on the chopping block.
Very useful. Thanks.
I would use this, but I'm not sure how to make this work with syncthing since I always try to have hardware redundancy with important data such as passwords. If it doesn't exist on at least two computers, it doesn't really exist.
You should also mention you can sync your passwords with Syncthing to your phone, as well s the very excellent Password Store app (available on F-Droid) to use pass and pass-otp on the go.
Best video on youtube.
Great success.
Thanks for your videos
congrats Luke on 100k subs. It's a shame they downgraded the play buttons :/
How does this integrate with a browser - copy/paste? Seems annoying. What about syncing to a mobile device? I'd like to start using an open source password manager but right now I'm using LastPass for these reasons.
Is it possible to store keys in a different location and specify as parameter when decrypting?
I like bitwarden because I need android support, and my friends and family can also use it, which would not be possible with pass. I still use pass for whenever I need to automatically a password for a script, but bitwarden makes more sense for me personally.
If you need a graphical interface you can use qtpass
Is there a way to use pass or some other program to circumnavigate the stupid "we'll send you a text with your otp :))" bs?
I have a thinkpad with a smartcard reader....if I get a smartcard and writer, could pass use a smartcard for verification?
I miss this type of content, pre red pill Luke Smith
Is there some solution with browser integration that could generate passwords and usernames and store them securely?
How do I use pass when I am a digital nomad soy dev? Like where do I store my private key? I can't print it and carry it around with me because it will just get lost.
With Yubikey or some other ~$40 hardware token device you can store your private GPG key in it (one way). It's much more secure and convenient to use.
I just noticed Luke moves his hands like Orange boomer
Noob here. Can someone tell me what dwm layout he's using in the beginning ?
You should try Plan 9's factotum
These six numbers are event based or time based?
should I save them on nextcloud?
Tried your LARBS 3 times now, and it keeps black screening me🤦♂️ it also doesn't let me to go back, so I need to reinstall manjaro every time.
Plz help? 🔥🔥🔥
Right everything is saved locally including the private key
This is awesome. I am currently using LastPass, but I really don't like it.
Hiii Luke did you ever make a sync tutorial? I know you love gen z emotes so here's some begging eyes 🥺 There's an iOS pass client id like to sync between 🥺🥺
Does anyone knows how to unlock the GPG pair by default? I mean, I don't want to enter my password over and over again... I was reading about the package pam-gnupg, but I still couldn't figure it out how to achieve it.
what about keepass?
Non-free software. Should NEVER be used.
The alternative is not to have so many accounts to consume content everywhere that you need a password manager to remember them all. Still this looks pretty good though, not gonna lie for upcummies.
This guy is more professional than my computer science professors with their Windows or Ubuntu systems
Hi, Luke i would appreciate it if you could make a video on how to transfer your Pass-Database to a new PC/Laptop. I tried it several times but i couldn't get it to work and i can't find a good howto either.
scp -r ~/.password-store otherbox:
can it generate a random password ?
Sync would be handy yes as then it could replace 1password.
1password is one of the better ones as it can do OTP , no phone needed . There is a command line version for linux
Pretty sure 1password is non-free software. Essentially, you're blindly trusting that 3rd party.
kewl
May you please make a guide on making your own email server? If not can you point out some resources that you use for your server?
ruclips.net/video/9zP7qooM4pY/видео.html
github.com/lukesmithxyz/emailwiz
@@LukeSmithxyz Thank you!
Pass is absolutely the best, until you are forced to use Windows for work
#DM CHRIS_HACKER266 ON INSTAGRAM HE IS THE BEST#
On a scale of 1 to 10 what is your favorite color?
What about lastpass cli? Works well with qute as well!
Lastpass is non-free software. That fact alone disqualifies it as a viable option.
I did a fresh install of manjaro and larbs broke it 🤔
Guess my biggest question is how do you backup your passwords? Can you backup passwords? That's the only thing keeping me on a cloud service.
Git
So, all the infosec "gurus" say Linux is far more.private but far less secure than even windows. What say you guys? Is it true running windows in a virutal box on Fedora is the safest, "most secure" for "normies" other than chrome os on a Chromebook as I've seen several infosec guys say?
9:45 cool, but aegis is also good
B-but muh yubikey...
You can use the GPG functionality of a YubiKey with pass too. This is what I do and I also have my OTP's in pass, so the fact that the GPG key is inside the YubiKey gives me my second factor
1:29 if select key expire. what happen passwords after gpg key expire. are they gone? becouse you cant generate new and get new gpg to read your passwords LOL that would be silly xD
Redpill me on pass. I currently use KeepassXC which is minimal-ish. It has good Android support, the command line version is usable enough to work with scripts (although it's admittedly not great), and it makes SSH and GPG key passwords effectively automatic. Secret Service integration is good too. I get that pass is fundamentally simple and easy, but there are so many different authentication systems on Linux - ssh, secret-service, etc - that it really feels like I have to independently manage 3 or 4 different authentication systems independently. With KeePassXC I just run the one program, and everything is solved, including browser integration, without having to hack a bunch of scripts together. I understand the value of minimalism, but I feel like pass goes so headlong into minimalism that it doesn't really fit the use case of a good password management system anymore. I am interested in other people's opinions, though, and how they manage all of these complex interdependent authentication systems.
This video is not bloated
Please make a pam-gnupg tutorial, I can't get it working.
i second this. I feel really stupid but dont get the setup process
how to backup this passwordstore
So you could say pass isn't bloaaat?
I think a better way is to not rely primary on passwords manager. I prefer passphrase to passwords , they are easy to remember. An example will be "A dog cost $200". Simple, Easy to remember, secure enough
Yes, for some important password I use this method, like gpg passphase. But you can't remember all passwords with this. I got 214 encrypted password with pass now.
Yes, it's a simple and well understood technique but it doesn't translate in terms of actually being usable. Don't get so hung up over the difference in terminology...... a "passphrase" is just another term for "password". Essentially, they're serving the exact same purpose. In other words, your password can be just as long and mixed as your precious "passphrase" if you want it to be. Now that we understand there's no magic here and that the lingo used is meaningless, we get into more interesting areas of the conversation which are based in the strength (how hard is it to guess or brute force) and usability of the password/passphrase/whateverothersillythingwewaanttocallit as well as how do we interact with it. On the subject of interaction alone, you're not going to be typing a sentence (using your example here) every time you access a particular thing. That'd be crazy. I mean sure, if you're into that......... So clearly, the better approach is to use a utility to pull the credential from a secure (encrypted) store, and make it accessible (we typically speak in terms of the clipboard here) so we can avoid the silly ritual (grunt work) of having to physically type it. So in the case of your precious "passphrase" approach (which really are just longer passwords), you can go ahead and use them all day but now you get to use them through a password manager in order to avoid having to manually type them (complete waste of your valuable time).
Having your password and opt in one place seems like a bad security idea, it pretty much takes away the 2 in 2 factor authentication.
Normally that would be true, as you know 2FA should always be comprised of something you have (the otp), and something you know (the password). In this case it's actually 3 factors, two things he has: the otp and encrypted password database via gpg, and one thing he knows: the password to unencrypt his gpg key pair. So you do still have both types.
Isn't the whole point to let the password manager generate the password if you are gonna use it?
you can type "pass generate" to create the password for you.... "pass generate -m" to type user and password on each line.
OTP, also know as "one true pair"
Keepass is mine
pass also supports git so you can version your passwords or backup them in a git repository. It is also safe to have them in a public repo because they are encrypted with your private key that stays on your machine and is password protected too
Anyone who reads this, don't do that
@@MrHaashimAlvi Why? Everything the OP said is completely true. Are you just spreading alarmist FUD?
Now I just need to find a password manager my gpg key password
Imagine using stateful password managers. You can't get hacked if there's no file to decrypt!
Pass is cool but I end up using keepass because web is b1o@t3D to the point one needs a b1o@t3D password manager.
I use it on an iphone...
It looks like you updated your terminal color scheme. Do I have your permission to copy your proprietary hex codes?
Also, I have a reeeeeeealllly important question!! Are you going to get bloated on Thanksgiving?????
One negative thing about pass is that you can't store a username.
you can store multiline text. The first line should be your password because the first line is used when copying to clipboard by pass. The rest is up to you, you can store username, question/answer pairs etc...
KeePassXC FTW
in shorter words: PASS isn't bloated
Did he just call OTP One Time Password? It's One Time Pin
Well, syncing is very important to me. I need to have my passwords and OTPs available on my consoomer Android phone. That's why I selfhost bitwarden_rs.
Pass comes with built in git support, so you can sync using any git server. I self host gitea so I use that but you could use a private GitHub repo too. Once you have your remote configured, you can just do "pass git push" and "pass git pull"
For android, there is an app too: github.com/android-password-store/Android-Password-Store
OTPHJ
I STILL WAIT FOR UR BLACK-ARCH REPOSITORYTUTOS !! :P
Luke Smith: I'm giving up my war on bloat
also Luke Smith 10 hours later: PASS is the best because it's minimal and devoid of junk
Nah I'm staying with Bitwarden
One day Luke post a video about trusting your passwords to google, in another day he post a tool for storing passwords. Something is not right
$ pass ioni... Init
Some time ago I wrote my own script for 2fa.. Maybe will be useful for somebody.
github.com/kohutd/2fash