Password store storing some passwords in plain text

password

I red about the password management program pass in a question on this forum and decided to try it.

I installed from the download page (tarball 1.6.3).
I created some test entries and then some real entries and committed them to git and pushed them to github. When I looked at my github repository I did see some non .gpg file with the plain text versions of the passwords pushed to github. Those file also exists local. I have removed my real passwords from ~/.password-store:

$ pass
Password Store
├── test
│   ├── test
│   └── test
├── test1
│   └── test2
└── test3
    └── test4

The double test is strange already:

$ ls ~/.password-store/test
test  test.gpg
$ more !$/test
more ~/.password-store/test/test
uJ94!qmv}E\41GjLxJx`
$ gpg -dq <  ~/.password-store/test/test.gpg 
uJ94!qmv}E\41GjLxJx`

Is this normal? What can I do against the plain text versions of the passwords being stored?

Best Answer

I have seen that application do that as well. I think it is a result of the bash script (that is the pass program) not catching some errors. For me it was reason not to start using the program for real.

If you can live with the plain text files being stored locally, you can prevent them from being stored in git (and pushed out to github) by setting up a .gitignore file in your ~/.password-store:

*
!*/
!.gitignore
!.gpg-id
!*.gpg

(this first ignores everything to be stored, then allows subdirs and allows the configuration files as well as all files ending in .gpg).

If you haven't done so yet, you should immediately change all passwords that you pushed out to github. Also remove ~/password-store/.git and everything underneath and reinitialize git (pass git init) for the password store, as the old, committed, plaintext files will still be in there.

Related Solutions

Avoiding plain-text password in http_proxy

Using base64 is useless, it's just a simple transformation. Using encryption with a key that's stored alongside the encrypted data is also useless because it's still just a simple transformation. If you're worried about someone getting access to your configuration files, then you need to encrypt with a key that isn't in your configuration files, and that means you'll have to type a password¹ when you log in.

Rather than make your own, use an existing encryption mechanism.

On Linux, if you go with file encryption, encrypt your home directory with eCryptfs, or encrypt the whole disk with Linux's disk encryption layer (dm-crypt, cryptsetup command), or create a small per-file encrypted filesystem with encfs. In the latter case, have a script that mounts the encfs filesystem and then runs a script stored there.

On Windows, put the file on a TrueCrypt/VeraCrypt.

Alternatively, use a password manager (set a master password, of course). Gnome's password manager (gnome-keyring) can be queried from the command line with the secret-tool utility. Seahorse provides a convenient GUI for exploring and modifying the keyring and setting a master password.

secret-tool store --label='Corporate web proxy password' purpose http_proxy location work.example.com

export http_proxy="http://cman:$(secret-tool lookup purpose http_proxy location work.example.com)@192.0.2.3/"

This required D-Bus, which is normally available by default under Linux (most modern desktop environments require it) but needs to be started manually under Cygwin (I don't know exactly how).

¹ _{or otherwise supply secret material, e.g. stored on a smartcard.}

Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

Open terminal and type :

wpa_passphrase YOUR_SSID YOUR_PASSWORD

Sample output:

network={
    ssid="YOUR_SSID"
    #psk="YOUR_PASSWORD"
    psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702
}

Open the wpa_supplicant.conf file and add the following line:

psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702

Best Answer

Related Solutions

Avoiding plain-text password in http_proxy

Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

Related Question