Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're using a *nix system: https://www.passwordstore.org/ I switched over from LastPass a few months ago. It uses gpg for encryption and supports git for password syncing between systems. Pretty simple to set up and use. There are quite a few third party apps for it already (both desktop and mobile)



Does this still have the problem of leaking metadata (site names, etc.) in plain text? I don't want to manually obfuscate them.


If you don't like manually obfuscating things, just keep your passwords in a txt file.


I've been amazed by Pass, but couldn't find a thorough review between Pass and KeePass(x). Is one safer than the other?


`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.

It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.

KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.

I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.

[0] https://news.ycombinator.com/item?id=9727297


Thanks! I'll definitely migrate to pass soon.


One big difference: pass only encrypts the password. All metadata is plaintext, so anyone can see a full listing of what online accounts you have.


pass is as safe as your gpg installation and your gpg key because that's the encprytion it uses.


That's a dangerous oversimplification. By that logic "LastPass is as safe as AES as that's what it uses" which is obviously not the case.

A system is as secure as its weakest component.


I tried LastPass, but didn't trust them, so I found https://www.passwordstore.org/ some year ago. I can't emphasize enough how good it is, mainly because it is so dead simple and transparent in how it works, and also because it has great bash integration, and uses git which makes it easy to sync between your machines. There is also a firefox plugin that integrates with it, but I don't really see that you need it: it is so easy to use at a prompt.


I use password store to, and it works really well. I'm on MacOS but having it to work under Android and Windows was a breeze.


That's brilliant, thanks a lot!

I never trusted "cloud" (read: not yours) password stores. I have been using KeePass and manual syncing, but I had my doubts about it too.

This looks perfect and simple!




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: