return



Months ago 1Password announced their new version, removing the local vault. Since then I migrated to pass and so far it's all pretty nice.

Pass is a very simple tool, each of the passwords is a file, GPG-encrypted. There is no schema / structure enforced on how should the files be organised, just like how you can freely organise your own documents. I personally have something like this, but of course it's up to each user to decide.

├── Github
├── Gitlab
├── Google
│   ├── Personal
│   ├── Company A
│   ├── Company B

I create folders for services that I have more than one account, but you can also organise files in your own way, for example a Programming folder for Github and Gitlab.

The file format is also very simple.

  • The first line is the password
  • The rest is anything up to you.

An example:

this-is-the-password
login: this-is-the-username
url: https://example.com
otpauth:......
Secure Question 1: Do you like cat? Yes.

This simple structure means softwares can easily process the file and integrate with it. For example, a browser extension may open a website according to the url field, fill in the username by the login field. Extensions such as pass-otp can understand certain data in the file and provide extra functionalities. Possibility is unlimited.

Migrating from 1password

I first exported my 1Password vault to the .1pif format. On pass's official site there's a link to a script 1password2pass.rb, except that didn't work very well. Probably because it's written years ago. (I am pretty sure pass's sample format wouldn't have this few-years-is-already-too-old problem.) My second trial is a tool called pass-import, it handled most of the 1Password record pretty well, except for 2 little problems. 1. 1Password also exports trashed passwords, and pass-import didn't ignore them. 2. It doesn't import OTP very well.. Luckily, it's all open source, so I've fixed it and sent 2 PRs to address the problems.[1]

Now I have some nice password files, but I was still not sure if everything had been migrated correctly. I want to keep a backup of the original .1pif file in a secure manner, just in case. In 1Password you can put any file into the vault and that was convenient. In pass, since everything is just GPG-encrypted files, I simply encrypted the 1pif file and put in into the password store. Neat!

User experience

The biggest difference is obviously the UI. pass is command line based, whereas 1Password had a nice GUI. Since I always have my terminal opened somewhere, it wasn't much different for me to type pass Apple -c than typing it into 1Password. There are some little issues though.

  1. Obviously it wouldn't be nice to have the password always visible on screen, I always open a new terminal window, type pass, and then close the window. That's a tiny bit of inconvenience.
  2. Using the -c option makes pass copy the password to clipboard instead of showing it on screen.
    • It's nice, except, I always use an unique email address for each service, and there's no option to copy the username/email address, so afterall I still have to show everything on screen to copy.
    • I use Alfred and love it's clipboard history function. pass clears the clipboard after 45 seconds, but the password is still saved in the clipboard history. As for 1Password, I have no idea why and how, but copying the password from 1Password doesn't leave trace in the clipboard history.

PassFF

I also have PassFF installed, a Firefox extension. It works very well to my surprise, it understands all those login otpauth fields. One little thing to notice is that if you only have pass installed, by default the only way to unlock the "vault" is to via terminal, like this.

Entering passphase in terminal

PassFF cannot handle that, and it cannot unlock the vault for you. A solution is to install pinentry-mac and had it setup (don't forget gpg-connect-agent reloadagent /bye after setting the agent config). Then there would be a nice dialog with the option to save the passphase to keychain. You can also have it unlocked by touchid by pinentry-touchid, although I haven't try it.

Entering passphase in GUI

Pass for iOS

Pass for iOS is a great app for using pass on iOS. The experience is actually better than what I have on desktop. It integrates those iOS functions like faceid and autofill, it supports OTP as well. A limitation is that it only sync with git, if you use other syncing methods like syncthing, unfortunately it's not supported. The git support is however pretty nice, I can add, update and delete passwords on mobile with a nice commit log. Pushing and pulling is also as simple as pull to refresh. Setting up the app takes longer than 1Passsword, because I have to setup both GPG key and SSH key for the git repo.

Pass for macOS

I also tried to find a tool that integrates better with Mac OS, and came along Pass for macOS. Though, as its Readme suggests it's still very much beta, it doesn't even support OTP... not very helpful.

Syncing

Unlike 1Password that forces user to upload their data. Pass stores the data locally, users can choose how to sync, just like any regular files. I use git with a repo hosted on my own server, but it could be anywhere. Git gives me a nice history of my password files, that I have the confidence to recover whatever I need. My friend use Syncthing, that's the freedom you get from pass.

An example git commit log:

commit 7f9fc0f818d585230b4a1b65d2d921500643b7a2 (HEAD -> master, origin/master)
Author: b123400 <i@b123400.net>
Date:   Sat Nov 20 21:01:45 2021 +0900

    Edit password for www.example.com using vi.

commit fa62821144bb728332b93bff4e9dce3a11e943f7
Author: b123400 <i@b123400.net>
Date:   Sat Nov 20 21:00:54 2021 +0900

    Add generated password for www.example.com.

commit 017fc63fb693122c51fc618e759d8a0a1323eeff
Author: b123400 <i@b123400.net>
Date:   Sat Nov 20 17:07:36 2021 +0900

    Rename Example to www.example.com.

A choice for nerds

The company I am working at decided to use 1Password few months after I migrated away. It's of course an improvement, anything is an improvement comparing to an old-fashioned spreadsheet. 1Password makes it easy to stop people from reusing their passwords while maintaining a convenient experience, it's something a lot of people need. pass on the other hand has a steeper learning curve and undoubtedly a nerdy user experience. Not many people want to trade convenience with independency. However if you are a nerd who already has a GPG key, please give pass a try! Its simplicity is surprisingly capable, it makes other format looks over-complicated.


  1. Those PRs are not merged after few months... typical OSS development experience. You may want to use my fork. ↩︎