Months ago 1Password announced their new version, removing the local vault. Since then I migrated to pass and so far it’s all pretty nice.
Pass is a very simple tool, each of the passwords is a file, GPG-encrypted. There is no schema / structure enforced on how should the files be organised, just like how you can freely organise your own documents. I personally have something like this, but of course it’s up to each user to decide.
├── Github
├── Gitlab
├── Google
│ ├── Personal
│ ├── Company A
│ ├── Company B
I create folders for services that I have more than one account, but you can also organise files in your own way, for example a Programming folder for Github and Gitlab.
The file format is also very simple.
An example:
this-is-the-password
login: this-is-the-username
url: https://example.com
otpauth:......
Secure Question 1: Do you like cat? Yes.
This simple structure means softwares can easily process the file and integrate with it. For example, a browser extension may open a website according to the url field, fill in the username by the login field. Extensions such as pass-otp can understand certain data in the file and provide extra functionalities. Possibility is unlimited.
I first exported my 1Password vault to the .1pif format. On pass’s official site there’s a link to a script 1password2pass.rb, except that didn’t work very well. Probably because it’s written years ago. (I am pretty sure pass’s sample format wouldn’t have this few-years-is-already-too-old problem.) My second trial is a tool called pass-import, it handled most of the 1Password record pretty well, except for 2 little problems. 1. 1Password also exports trashed passwords, and pass-import didn’t ignore them. 2. It doesn’t import OTP very well.. Luckily, it’s all open source, so I’ve fixed it and sent 2 PRs to address the problems.1
Now I have some nice password files, but I was still not sure if everything had been migrated correctly. I want to keep a backup of the original .1pif file in a secure manner, just in case. In 1Password you can put any file into the vault and that was convenient. In pass, since everything is just GPG-encrypted files, I simply encrypted the 1pif file and put in into the password store. Neat!
The biggest difference is obviously the UI. pass is command line based, whereas 1Password had a nice GUI. Since I always have my terminal opened somewhere, it wasn’t much different for me to type pass Apple -c than typing it into 1Password. There are some little issues though.
pass, and then close the window. That’s a tiny bit of inconvenience.-c option makes pass copy the password to clipboard instead of showing it on screen.
pass clears the clipboard after 45 seconds, but the password is still saved in the clipboard history. As for 1Password, I have no idea why and how, but copying the password from 1Password doesn’t leave trace in the clipboard history.I also have PassFF installed, a Firefox extension. It works very well to my surprise, it understands all those login otpauth fields. One little thing to notice is that if you only have pass installed, by default the only way to unlock the “vault” is to via terminal, like this.
PassFF cannot handle that, and it cannot unlock the vault for you. A solution is to install pinentry-mac and had it setup (don’t forget gpg-connect-agent reloadagent /bye after setting the agent config). Then there would be a nice dialog with the option to save the passphase to keychain. You can also have it unlocked by touchid by pinentry-touchid, although I haven’t try it.
Pass for iOS is a great app for using pass on iOS. The experience is actually better than what I have on desktop. It integrates those iOS functions like faceid and autofill, it supports OTP as well. A limitation is that it only sync with git, if you use other syncing methods like syncthing, unfortunately it’s not supported. The git support is however pretty nice, I can add, update and delete passwords on mobile with a nice commit log. Pushing and pulling is also as simple as pull to refresh. Setting up the app takes longer than 1Passsword, because I have to setup both GPG key and SSH key for the git repo.
I also tried to find a tool that integrates better with Mac OS, and came along Pass for macOS. Though, as its Readme suggests it’s still very much beta, it doesn’t even support OTP… not very helpful.
Unlike 1Password that forces user to upload their data. Pass stores the data locally, users can choose how to sync, just like any regular files. I use git with a repo hosted on my own server, but it could be anywhere. Git gives me a nice history of my password files, that I have the confidence to recover whatever I need. My friend use Syncthing, that’s the freedom you get from pass.
An example git commit log:
commit 7f9fc0f818d585230b4a1b65d2d921500643b7a2 (HEAD -> master, origin/master)
Author: b123400 <i@b123400.net>
Date: Sat Nov 20 21:01:45 2021 +0900
Edit password for www.example.com using vi.
commit fa62821144bb728332b93bff4e9dce3a11e943f7
Author: b123400 <i@b123400.net>
Date: Sat Nov 20 21:00:54 2021 +0900
Add generated password for www.example.com.
commit 017fc63fb693122c51fc618e759d8a0a1323eeff
Author: b123400 <i@b123400.net>
Date: Sat Nov 20 17:07:36 2021 +0900
Rename Example to www.example.com.
The company I am working at decided to use 1Password few months after I migrated away. It’s of course an improvement, anything is an improvement comparing to an old-fashioned spreadsheet. 1Password makes it easy to stop people from reusing their passwords while maintaining a convenient experience, it’s something a lot of people need. pass on the other hand has a steeper learning curve and undoubtedly a nerdy user experience. Not many people want to trade convenience with independency. However if you are a nerd who already has a GPG key, please give pass a try! Its simplicity is surprisingly capable, it makes other format looks over-complicated.
Those PRs are not merged after few months… typical OSS development experience. You may want to use my fork.