TOTP support in password-store

Andrew Beyer beyer.andrew at gmail.com
Sat Dec 31 01:19:27 CET 2016


On Fri, Dec 30, 2016 at 3:50 PM, Reed Loden <reed at reedloden.com> wrote:
> If I compromise your computer, I still get both the password and the TOTP
> secret just from a simple keylogger. Not safe.

I wouldn't keep it online all the time on the same device as a
replacement for a second factor... but a second password store with
separate key & passphrase stored on a phone or other device that
doesn't also have the passwords could work, plus putting it on offline
media is a pretty reasonable compromise for backup purposes. You can
keep the private key on the same media and the only time you would
ever be using its passphrase would be if you had to do an emergency
recovery, which hopefully isn't very often. Not perfect, but likely
better than many other options (many places that do 2fa suggest to
print and save the unencrypted qr code on a sheet of paper.)

> If you don't want to use your phone, just get a hardware token of some sort
> (Yubikey or similar).

You still need a backup for last ditch recovery if (when) your
hardware device is lost/stolen/broken/replaced/etc...

I use pass like this for TOTP backup already, but not sure there's
much need for anything new in pass to support doing that, as just
piping the TOTP seed to/from pass works pretty well. I may get around
to writing up some scripts to automate my process at some point.


More information about the Password-Store mailing list