[pass] A web view/integration

Alexandre PUJOL list at pujol.io
Mon Feb 8 10:50:01 CET 2016


> 
> Currently some coders at IJhack are looking into a different backend (as
> opposed to git + local filesystem) that allows for rate-limiting and a
> paper trail of who accessed which passwords and when, this would make
> pass a viable alternative to enterprises that need stuff like that.

This is very interesting. Do you have more information about that?



On 08/02/16 10:37, GOYOT Martin wrote:
> Yeah, that was exactly my point. I know that LastPass does the same too.
> You have a utility installed on your computer and the web plugin is just
> calling it.
> 
> Thanks for the information
> 
> On Mon, Feb 8, 2016 at 10:34 AM <the_jinx at etv.cx
> <mailto:the_jinx at etv.cx>> wrote:
> 
>     Hi,
> 
>     Most applications like 1Password use a local tool with a helper in the
>     browser.
>     Pass an do the same on Firefox with the passff plugin
>     https://github.com/jvenant/passff
> 
>     Having your GPG passphrase exposed to a hostile environment (browser) is
>     never a good idea, in principle all (other) browser plugins might be
>     able to intercept your key and passphrase.
> 
>     Currently some coders at IJhack are looking into a different backend (as
>     opposed to git + local filesystem) that allows for rate-limiting and a
>     paper trail of who accessed which passwords and when, this would make
>     pass a viable alternative to enterprises that need stuff like that.
> 
>     I am looking into making a browser plugin for chrome like passff but
>     it's still in extremely early stages.
> 
>     Greetings,
>         Anne Jan
> 
>     On 2016-02-08 10:04, GOYOT Martin wrote:
>     > Hello Alexandre,
>     >
>     > Thanks for the tip, I decided to use the android app.
>     >
>     > This said I would love you to explain me why this would be a bad idea.
>     > This could work exactly like what LastPass is doing for instance.
>     >
>     > Regards,
>     > -- Martin
>     >
>     > On Mon, Feb 8, 2016 at 10:00 AM Alexandre PUJOL <list at pujol.io
>     <mailto:list at pujol.io>> wrote:
>     >
>     >> Using git, you can use any git sever and git web app (like cgit) as
>     >> a
>     >> pass web viewer. Then, the git server will allow you to sync your
>     >> passwords between you device, and thus use the good pass client for
>     >> your
>     >> device (pass, pass-ios, Android-Password-Store...)
>     >>
>     >> However the git web app only output the tree of the password
>     >> directory.
>     >> The content itself stay encrypted. Do NOT try to create a tool in
>     >> order
>     >> to decrypt and output it in a web browser. As said Dashamir Hoxha
>     >> it
>     >> would not be a good idea at all.
>     >> Because you must NOT:
>     >> - Use any server to decrypt your password.
>     >> - Use JavaScript to decrypt the password directly in a web browser.
>     >>
>     >> This is why there is not pass web app, all the pass server you
>     >> would
>     >> ever need already exist it is a git server.
>     >>
>     >> Regards,
>     >> Alex
>     >>
>     >> On 07/02/16 20:57, GOYOT Martin wrote:
>     >>> Oh I didn't know of keybase. Looks like a really interesting
>     >> project!
>     >>>
>     >>> Also I don't know if Kenny Stier had the mailing list in copy
>     >> when he
>     >>> replied to me, but he pointed me to two mobile applications that
>     >> can
>     >>> deal with pass:
>     >>>
>     >>> https://github.com/zeapo/Android-Password-Store [1]
>     >>> https://github.com/davidjb/pass-ios#readme [2]
>     >>>
>     >>> I decided to give the android app a try, and for my really small
>     >> test
>     >>> until now, looks good!
>     >>>
>     >>> On Sun, Feb 7, 2016 at 8:24 PM Santiago Borrazás
>     >> <sanbor at gmail.com <mailto:sanbor at gmail.com>
>     >>> <mailto:sanbor at gmail.com <mailto:sanbor at gmail.com>>> wrote:
>     >>>
>     >>> Also, maybe using the Keybase
>     >>> filesystem
>     >> https://keybase.io/introducing-the-keybase-filesystem [3]
>     >>>
>     >>> On Sun, Feb 7, 2016 at 10:22 AM, Dashamir Hoxha
>     >>> <dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>
>     <mailto:dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>>> wrote:
>     >>>
>     >>> In principle, you can use `git clone` or `rsync` to copy
>     >>> ~/.password-store to a portable device (usb, phone,
>     >> smartphone,
>     >>> etc.). You can copy there the corresponding GPG key as
>     >> well.
>     >>> Then, on another computer, you can tell pass to use the
>     >> data on
>     >>> the portable device by setting environment variables like
>     >> this:
>     >>>
>     >>> export PASSWORD_STORE_DIR="/dev/sdb1/.password-store"
>     >>> export
>     >> PASSWORD_STORE_GPG_OPTS="--homedir=/dev/sdb1/.gnupg"
>     >>>
>     >>> Or you can define an alias like this:
>     >>>
>     >>> alias
>     >> pass="PASSWORD_STORE_DIR='/dev/sdb1/.password-store'
>     >>> PASSWORD_STORE_GPG_OPTS='--homedir=/dev/sdb1/.gnupg'
>     >> pass"
>     >>>
>     >>> I haven't tried this but it should work. Maybe somebody
>     >> has
>     >>> written any blog or tutorial about this, with more
>     >> detailed
>     >>> instructions.
>     >>>
>     >>> Sorry, I know nothing about any web interface to pass.
>     >> And I
>     >>> don't even think it would be a good idea.
>     >>>
>     >>> Regards,
>     >>> Dashamir
>     >>>
>     >>> On Sun, Feb 7, 2016 at 6:11 PM, GOYOT Martin
>     >> <martin at piwany.com <mailto:martin at piwany.com>
>     >>> <mailto:martin at piwany.com <mailto:martin at piwany.com>>> wrote:
>     >>>
>     >>> Hello there,
>     >>>
>     >>> This is my first mail here, so if I'm doing anything
>     >> wrong
>     >>> please tell me. I just wanted to know if there was
>     >> any web
>     >>> app or mobile app that was able to deal with the pass
>     >>> utility as a backend.
>     >>>
>     >>> I'm using pass since quite some time now, and I
>     >> really love
>     >>> it. But sometimes I need to access my passwords and
>     >> sadly
>     >>> I'm not on my own computer with pass installed, my
>     >> gpg key
>     >>> and so on. So I was wondering if something like a web
>     >> or
>     >>> mobile interface capable to answer this problematic
>     >> already
>     >>> exists.
>     >>>
>     >>> Regards,
>     >>> -- Martin
>     >>>
>     >>> _______________________________________________
>     >>> Password-Store mailing list
>     >>> Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>
>     >>> <mailto:Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>>
>     >>>
>     >> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>     >>>
>     >>>
>     >>>
>     >>> _______________________________________________
>     >>> Password-Store mailing list
>     >>> Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>
>     >>> <mailto:Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>>
>     >>> http://lists.zx2c4.com/mailman/listinfo/password-store
>     >> [4]
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> _______________________________________________
>     >>> Password-Store mailing list
>     >>> Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>
>     >>> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>     >>>
>     >> _______________________________________________
>     >> Password-Store mailing list
>     >> Password-Store at lists.zx2c4.com
>     <mailto:Password-Store at lists.zx2c4.com>
>     >> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>     >
>     >
>     > Links:
>     > ------
>     > [1] https://github.com/zeapo/Android-Password-Store
>     > [2] https://github.com/davidjb/pass-ios#readme
>     > [3] https://keybase.io/introducing-the-keybase-filesystem
>     > [4] http://lists.zx2c4.com/mailman/listinfo/password-store
>     >
>     > _______________________________________________
>     > Password-Store mailing list
>     > Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
>     > http://lists.zx2c4.com/mailman/listinfo/password-store
> 


More information about the Password-Store mailing list