[pass] Password age report

Lenz Weber mail at lenzw.de
Wed Aug 31 22:52:07 CEST 2016


pass integrates with git blame for plaintext comparison. if you can
still decrypt older entries, this should give you exact change dates.

try something like

date -d @$(git blame -L 1,1 --porcelain dropbox.com.gpg | sed -n
's/^committer-time //p')

(taken from this mail on the mailing list:
https://lists.zx2c4.com/pipermail/password-store/2016-May/002280.html )


Am 31.08.2016 um 21:09 schrieb Daniel Dörrhöfer:
> On 31.08.2016 19:02, Kjetil Torgrim Homme wrote:
>> Den 31. aug. 2016 17:48, Brian Candler skreiv:
>>> On 31/08/2016 16:43, Emile Cantin wrote:
>>>> In light of the recent Dropbox leak, I wanted to know how old my
>>>> password was, and perhaps if I had any other old passwords that would
>>>> be due for a rotation. I don't think I can rely on the last
>>>> modification date on the files, as a fresh clone of my repo would have
>>>> today's date, even if the file was last modified in my repo in 2012. I
>>>> looked into how to do this with Git, but it's pretty
>>>> ungainly: http://serverfault.com/questions/401437/how-to-retrieve-the-last-modification-date-of-all-files-in-a-git-repository
>>>>
>>>> Keepass has an "expiration date" field which you can set when
>>>> generating a password, and it appears in a different color in the list
>>>> when expired.
>>>>
>>>> I think password age is a relevant metric for a password manager, but
>>>> pass doesn't currently offer any visibility into this.
>>>>
>>>> What do you think?
>>> This is (another) reason why it would be good if pass were to sign its
>>> GPG files. The signature includes a timestamp.
>> re-encrypting the files to a new set of keys will make a new signature.
>> you need to make the date part of the password file itself, or have pass
>> maintain some metadata in a separate file, e.g., "work/supplier.gpg"
>> could have a companion file "work/.meta.supplier.gpg", containing:
>>
>>   created: 2015-03-02T14:25:02+0200
>>   updated: 2016-08-31T18:55:32+0200
>>   expire: never
>>
>> the above syntax is valid YAML which can be useful if more complex
>> structures are wanted later.
>>
>> it might be useful to allow encryption of the metadata to be optional.
>>
> I like the git way of checking it. This is how to get a complete history
> of dropbox.com.
>
> pass git log --pretty="%s %Cgreen %cr %Creset" | grep dropbox.com
>
> Of course signature is an additional security.
>
>
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160831/47a886f3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160831/47a886f3/attachment-0001.asc>


More information about the Password-Store mailing list