[pass] A web view/integration

the_jinx at etv.cx the_jinx at etv.cx
Mon Feb 8 10:28:52 CET 2016 

Hi,

Most applications like 1Password use a local tool with a helper in the 
browser.
Pass an do the same on Firefox with the passff plugin 
https://github.com/jvenant/passff

Having your GPG passphrase exposed to a hostile environment (browser) is 
never a good idea, in principle all (other) browser plugins might be 
able to intercept your key and passphrase.

Currently some coders at IJhack are looking into a different backend (as 
opposed to git + local filesystem) that allows for rate-limiting and a 
paper trail of who accessed which passwords and when, this would make 
pass a viable alternative to enterprises that need stuff like that.

I am looking into making a browser plugin for chrome like passff but 
it's still in extremely early stages.

Greetings,
    Anne Jan

On 2016-02-08 10:04, GOYOT Martin wrote:
> Hello Alexandre,
> 
> Thanks for the tip, I decided to use the android app.
> 
> This said I would love you to explain me why this would be a bad idea.
> This could work exactly like what LastPass is doing for instance.
> 
> Regards,
> -- Martin
> 
> On Mon, Feb 8, 2016 at 10:00 AM Alexandre PUJOL <list at pujol.io> wrote:
> 
>> Using git, you can use any git sever and git web app (like cgit) as
>> a
>> pass web viewer. Then, the git server will allow you to sync your
>> passwords between you device, and thus use the good pass client for
>> your
>> device (pass, pass-ios, Android-Password-Store...)
>> 
>> However the git web app only output the tree of the password
>> directory.
>> The content itself stay encrypted. Do NOT try to create a tool in
>> order
>> to decrypt and output it in a web browser. As said Dashamir Hoxha
>> it
>> would not be a good idea at all.
>> Because you must NOT:
>> - Use any server to decrypt your password.
>> - Use JavaScript to decrypt the password directly in a web browser.
>> 
>> This is why there is not pass web app, all the pass server you
>> would
>> ever need already exist it is a git server.
>> 
>> Regards,
>> Alex
>> 
>> On 07/02/16 20:57, GOYOT Martin wrote:
>>> Oh I didn't know of keybase. Looks like a really interesting
>> project!
>>> 
>>> Also I don't know if Kenny Stier had the mailing list in copy
>> when he
>>> replied to me, but he pointed me to two mobile applications that
>> can
>>> deal with pass:
>>> 
>>> https://github.com/zeapo/Android-Password-Store [1]
>>> https://github.com/davidjb/pass-ios#readme [2]
>>> 
>>> I decided to give the android app a try, and for my really small
>> test
>>> until now, looks good!
>>> 
>>> On Sun, Feb 7, 2016 at 8:24 PM Santiago Borrazás
>> <sanbor at gmail.com
>>> <mailto:sanbor at gmail.com>> wrote:
>>> 
>>> Also, maybe using the Keybase
>>> filesystem
>> https://keybase.io/introducing-the-keybase-filesystem [3]
>>> 
>>> On Sun, Feb 7, 2016 at 10:22 AM, Dashamir Hoxha
>>> <dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>> wrote:
>>> 
>>> In principle, you can use `git clone` or `rsync` to copy
>>> ~/.password-store to a portable device (usb, phone,
>> smartphone,
>>> etc.). You can copy there the corresponding GPG key as
>> well.
>>> Then, on another computer, you can tell pass to use the
>> data on
>>> the portable device by setting environment variables like
>> this:
>>> 
>>> export PASSWORD_STORE_DIR="/dev/sdb1/.password-store"
>>> export
>> PASSWORD_STORE_GPG_OPTS="--homedir=/dev/sdb1/.gnupg"
>>> 
>>> Or you can define an alias like this:
>>> 
>>> alias
>> pass="PASSWORD_STORE_DIR='/dev/sdb1/.password-store'
>>> PASSWORD_STORE_GPG_OPTS='--homedir=/dev/sdb1/.gnupg'
>> pass"
>>> 
>>> I haven't tried this but it should work. Maybe somebody
>> has
>>> written any blog or tutorial about this, with more
>> detailed
>>> instructions.
>>> 
>>> Sorry, I know nothing about any web interface to pass.
>> And I
>>> don't even think it would be a good idea.
>>> 
>>> Regards,
>>> Dashamir
>>> 
>>> On Sun, Feb 7, 2016 at 6:11 PM, GOYOT Martin
>> <martin at piwany.com
>>> <mailto:martin at piwany.com>> wrote:
>>> 
>>> Hello there,
>>> 
>>> This is my first mail here, so if I'm doing anything
>> wrong
>>> please tell me. I just wanted to know if there was
>> any web
>>> app or mobile app that was able to deal with the pass
>>> utility as a backend.
>>> 
>>> I'm using pass since quite some time now, and I
>> really love
>>> it. But sometimes I need to access my passwords and
>> sadly
>>> I'm not on my own computer with pass installed, my
>> gpg key
>>> and so on. So I was wondering if something like a web
>> or
>>> mobile interface capable to answer this problematic
>> already
>>> exists.
>>> 
>>> Regards,
>>> -- Martin
>>> 
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> <mailto:Password-Store at lists.zx2c4.com>
>>> 
>> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> <mailto:Password-Store at lists.zx2c4.com>
>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>> [4]
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>>> 
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
> 
> 
> Links:
> ------
> [1] https://github.com/zeapo/Android-Password-Store
> [2] https://github.com/davidjb/pass-ios#readme
> [3] https://keybase.io/introducing-the-keybase-filesystem
> [4] http://lists.zx2c4.com/mailman/listinfo/password-store
> 
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store

More information about the Password-Store mailing list