Switching from LastPass to Pass

Topics: Command Line, Security

I used to keep all my passwords in my head. I kept track of them using some memory tricks based my very, very limited understanding of what memory champions like Ed Cooke do. Basically I would generate strings using pwgen and then memorized them.

As you might imagine, this did not scale well.

Or rather it led to me getting lazy. It used to be that hardly any sites required you to log in so it was no big deal to memorize a few passwords. Now pretty much every time you buy something you have to create an account and I don’t want to memorize a new strong password for some one-off site I’ll probably never visit again. So I ended up using a less strong password for those. Worse, I’d re-use that password at multiple sites.

My really important passwords (email and financial sites), are still only in my head, but recognizing that re-using the same simple password for the one-offs was a bad idea, I started using LastPass for those sorts of things. But I never really liked using LastPass. It bothered me that my passwords were stored on a third-party server. But LastPass was just so easy.

Then LogMeIn bought LastPass and suddenly I was motivated to move on.

As I outlined in a brief piece for The Register, there are lots of replacement services out there — I like Dashlane, despite the price — but I didn’t want my password data on a third party server any more. I wanted to be in total control.

I can’t remember how I ran across pass, but I’ve been meaning to switch over to it for a while now. It exactly what I wanted in a password tool — a simple, secure, command line based system using tested tools like GnuPG. There’s also Firefox add-on and an Android app to make life a bit easier. So far though, I’m not using either.

So I cleaned up my LastPass account, exported everything to CSV and imported it all into pass with this Ruby script.

Once you have the basics installed there are two ways to run pass, with Git and without. I can’t tell you how many times Git has saved my ass, so naturally I went with a Git-based setup that I host on a private server. That, combined with regular syncing to my Debian machine, my wife’s Mac, rsyncing to a storage server, and routine backups to Amazon S3 means my encrypted password files are backed up on six different physical machines. Moderately insane, but sufficiently redundant that I don’t worry about losing anything.

If you go this route there’s one other thing you need to backup — your GPG keys. The public key is easy, but the private one is a bit harder. I got some good ideas from here. On one hand you could be paranoid-level secure and make a paper print out of your key. I suggest using a barcode or QR code, and then printing on card stock which you laminate for protection from the elements and then store it in a secure location like a safe deposit box. I may do this at some point, but for now I went with the less secure plan B — I simply encrypted my private key with a passphrase.

Yes, that essentially negates at least some of the benefit of using a key instead of passphrase in the first place. However, since, as noted above, I don’t store any passwords that would, so to speak, give you the keys to my kingdom, I’m not terribly worried about it. Besides, if you really want to get these passwords it would be far easier to just take my laptop and hit me with a $5 wrench until I told you the passphrase for gnome-keyring.

The more realistic thing to worry about is how other, potentially far less tech-savvy people can access these passwords should something happen to you. No one in my immediate family knows how to use GPG. Yet. So should something happen to me before I teach my kids how to use it, I periodically print out my important passwords and store that file in a secure place along with a will, advance directive and so on.