[pass] Password age report

Simon Lackerbauer simon at lackerbauer.com
Thu Sep 1 11:39:14 CEST 2016


Well, don't forget to send it through pass first to decrypt, like

date -d @$(pass git blame -L 1,1 --porcelain dropbox.com.gpg | sed -n
's/^committer-time //p')

as otherwise that will just compare the first lines of encrypted files
which shouldn't change with the file because it holds gpg status
information.

cheers

On 08/31/2016 10:52 PM, Lenz Weber wrote:
> pass integrates with git blame for plaintext comparison. if you can
> still decrypt older entries, this should give you exact change dates.
> 
> try something like
> 
> date -d @$(git blame -L 1,1 --porcelain dropbox.com.gpg | sed -n
> 's/^committer-time //p')
> 
> (taken from this mail on the mailing list:
> https://lists.zx2c4.com/pipermail/password-store/2016-May/002280.html )
> 
> 
> Am 31.08.2016 um 21:09 schrieb Daniel Dörrhöfer:
>> On 31.08.2016 19:02, Kjetil Torgrim Homme wrote:
>>> Den 31. aug. 2016 17:48, Brian Candler skreiv:
>>>> On 31/08/2016 16:43, Emile Cantin wrote:
>>>>> In light of the recent Dropbox leak, I wanted to know how old my
>>>>> password was, and perhaps if I had any other old passwords that would
>>>>> be due for a rotation. I don't think I can rely on the last
>>>>> modification date on the files, as a fresh clone of my repo would have
>>>>> today's date, even if the file was last modified in my repo in 2012. I
>>>>> looked into how to do this with Git, but it's pretty
>>>>> ungainly: http://serverfault.com/questions/401437/how-to-retrieve-the-last-modification-date-of-all-files-in-a-git-repository
>>>>>
>>>>> Keepass has an "expiration date" field which you can set when
>>>>> generating a password, and it appears in a different color in the list
>>>>> when expired.
>>>>>
>>>>> I think password age is a relevant metric for a password manager, but
>>>>> pass doesn't currently offer any visibility into this.
>>>>>
>>>>> What do you think?
>>>> This is (another) reason why it would be good if pass were to sign its
>>>> GPG files. The signature includes a timestamp.
>>> re-encrypting the files to a new set of keys will make a new signature.
>>> you need to make the date part of the password file itself, or have pass
>>> maintain some metadata in a separate file, e.g., "work/supplier.gpg"
>>> could have a companion file "work/.meta.supplier.gpg", containing:
>>>
>>>   created: 2015-03-02T14:25:02+0200
>>>   updated: 2016-08-31T18:55:32+0200
>>>   expire: never
>>>
>>> the above syntax is valid YAML which can be useful if more complex
>>> structures are wanted later.
>>>
>>> it might be useful to allow encryption of the metadata to be optional.
>>>
>> I like the git way of checking it. This is how to get a complete history
>> of dropbox.com.
>>
>> pass git log --pretty="%s %Cgreen %cr %Creset" | grep dropbox.com
>>
>> Of course signature is an additional security.
>>
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
> 
> 
> 
> 
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
> 


-- 
www.lackerbauer.com
B0CB 1DB6 C2E5 8167 4CB4  2136 564A DEDA 01BD 6EFA


More information about the Password-Store mailing list