Many password managers allow most of things, so I'm not convinced. I'm using keepassxc, which surprisingly does not get much publicity here on HN.
> Here are some of the pros of the Pass:
> * It leaks meta-data. That might sound a con, but in exchange you get the ability to extract a password without decrypting and thus exposing other passwords. There is isolation.
I still consider leaking metadata a more serious potential for issues, than having to decrypt the whole database. Also you say extract the password without decrypting, you still need to decrypt the password.
> * It’s more convenient than a single file password manager. You type ‘’pass -c goo’’ for your Google account, instead of clicking on your password manager, typing password, searching in data base, finding the right entry, copying password or pressing auto complete and closing the database. The combination of mouse and keyboard can make alternative password managers slower.
When I use keepassxc I can easily use the libsecret command line, no gui involved (except for opening the dB). By using the secret store integration I also don't interact with the password manager directly most of the time. It gives me the password for git repositories over https, WiFi passwords, my VPN password and ssh is done via the ssh-agent integration, while för the browser there is the plugin.
> * You don’t need your master password to add a new password (it uses asymmetric encryption).
Except as pointed out by someone else, all your old entries are still only encrypted by the old password.
> * You can easily program it, eg, write a backup script that grab a password from store.
This is easy as well via libsecret integration in other password managers
> * It uses GPG which means your secret key can be stored on Yubikey, handled by a dedicated agent. Your password is basically a short PIN with max 3 tries. This is unparalleled convenience and security!
I admit that can be a an advantage, but I don't think I would use it much. If I need to enter a password on the go, I would always use the phone app.
> * It’s secure, because it’s a short bash script that you can check, and delegates encryption to a dedicated well-audited cryptographic tool.
I don't think this argument is convincing. Security is complex and there have been plenty of cases of some tool using known secure components and still messing things up. I'm not saying this is the case here though.
> * You can encrypt to multiple keys, thus use it similar to LUKS that supports multiple passwords.
What's the use case for this?
> * GPG is usually widely available, so you can decrypt a password on another system on which you may not admin rights to install your password manager.
Many password managers work as static binaries AFAIK, so you could just carry that around on your USB stick.
> There might be few cons though. For example, if you store your database on a cloud, say, Dropbox, Dropbox could switch your Dropbox.com file with google.com file, and you copy and hand over your Google password to Dropbox. But this is hypothetical for most of us! Also, some people don’t like metadata (filenames) leakage, though apparently there are solutions for that.
> Overall it’s very convenient and functional. I highly recommend it.
> Here are some of the pros of the Pass:
> * It leaks meta-data. That might sound a con, but in exchange you get the ability to extract a password without decrypting and thus exposing other passwords. There is isolation.
I still consider leaking metadata a more serious potential for issues, than having to decrypt the whole database. Also you say extract the password without decrypting, you still need to decrypt the password.
> * It’s more convenient than a single file password manager. You type ‘’pass -c goo’’ for your Google account, instead of clicking on your password manager, typing password, searching in data base, finding the right entry, copying password or pressing auto complete and closing the database. The combination of mouse and keyboard can make alternative password managers slower.
When I use keepassxc I can easily use the libsecret command line, no gui involved (except for opening the dB). By using the secret store integration I also don't interact with the password manager directly most of the time. It gives me the password for git repositories over https, WiFi passwords, my VPN password and ssh is done via the ssh-agent integration, while för the browser there is the plugin.
> * You don’t need your master password to add a new password (it uses asymmetric encryption).
Except as pointed out by someone else, all your old entries are still only encrypted by the old password.
> * You can easily program it, eg, write a backup script that grab a password from store.
This is easy as well via libsecret integration in other password managers
> * It uses GPG which means your secret key can be stored on Yubikey, handled by a dedicated agent. Your password is basically a short PIN with max 3 tries. This is unparalleled convenience and security!
I admit that can be a an advantage, but I don't think I would use it much. If I need to enter a password on the go, I would always use the phone app.
> * It’s secure, because it’s a short bash script that you can check, and delegates encryption to a dedicated well-audited cryptographic tool.
I don't think this argument is convincing. Security is complex and there have been plenty of cases of some tool using known secure components and still messing things up. I'm not saying this is the case here though.
> * You can encrypt to multiple keys, thus use it similar to LUKS that supports multiple passwords.
What's the use case for this?
> * GPG is usually widely available, so you can decrypt a password on another system on which you may not admin rights to install your password manager.
Many password managers work as static binaries AFAIK, so you could just carry that around on your USB stick.
> There might be few cons though. For example, if you store your database on a cloud, say, Dropbox, Dropbox could switch your Dropbox.com file with google.com file, and you copy and hand over your Google password to Dropbox. But this is hypothetical for most of us! Also, some people don’t like metadata (filenames) leakage, though apparently there are solutions for that.
> Overall it’s very convenient and functional. I highly recommend it.