[pass] Password age report

Lenz Weber mail at lenzw.de
Thu Sep 1 13:33:57 CEST 2016


nope, not necessary - take a look at your .gitattributes: git diff will
use gpg for decrpytion before diffing.

pass sets it up that way for you ;)

On 01.09.2016 11:39, Simon Lackerbauer wrote:
> Well, don't forget to send it through pass first to decrypt, like
>
> date -d @$(pass git blame -L 1,1 --porcelain dropbox.com.gpg | sed -n
> 's/^committer-time //p')
>
> as otherwise that will just compare the first lines of encrypted files
> which shouldn't change with the file because it holds gpg status
> information.
>
> cheers
>
> On 08/31/2016 10:52 PM, Lenz Weber wrote:
>> pass integrates with git blame for plaintext comparison. if you can
>> still decrypt older entries, this should give you exact change dates.
>>
>> try something like
>>
>> date -d @$(git blame -L 1,1 --porcelain dropbox.com.gpg | sed -n
>> 's/^committer-time //p')
>>
>> (taken from this mail on the mailing list:
>> https://lists.zx2c4.com/pipermail/password-store/2016-May/002280.html )
>>
>>
>> Am 31.08.2016 um 21:09 schrieb Daniel Dörrhöfer:
>>> On 31.08.2016 19:02, Kjetil Torgrim Homme wrote:
>>>> Den 31. aug. 2016 17:48, Brian Candler skreiv:
>>>>> On 31/08/2016 16:43, Emile Cantin wrote:
>>>>>> In light of the recent Dropbox leak, I wanted to know how old my
>>>>>> password was, and perhaps if I had any other old passwords that would
>>>>>> be due for a rotation. I don't think I can rely on the last
>>>>>> modification date on the files, as a fresh clone of my repo would have
>>>>>> today's date, even if the file was last modified in my repo in 2012. I
>>>>>> looked into how to do this with Git, but it's pretty
>>>>>> ungainly: http://serverfault.com/questions/401437/how-to-retrieve-the-last-modification-date-of-all-files-in-a-git-repository
>>>>>>
>>>>>> Keepass has an "expiration date" field which you can set when
>>>>>> generating a password, and it appears in a different color in the list
>>>>>> when expired.
>>>>>>
>>>>>> I think password age is a relevant metric for a password manager, but
>>>>>> pass doesn't currently offer any visibility into this.
>>>>>>
>>>>>> What do you think?
>>>>> This is (another) reason why it would be good if pass were to sign its
>>>>> GPG files. The signature includes a timestamp.
>>>> re-encrypting the files to a new set of keys will make a new signature.
>>>> you need to make the date part of the password file itself, or have pass
>>>> maintain some metadata in a separate file, e.g., "work/supplier.gpg"
>>>> could have a companion file "work/.meta.supplier.gpg", containing:
>>>>
>>>>   created: 2015-03-02T14:25:02+0200
>>>>   updated: 2016-08-31T18:55:32+0200
>>>>   expire: never
>>>>
>>>> the above syntax is valid YAML which can be useful if more complex
>>>> structures are wanted later.
>>>>
>>>> it might be useful to allow encryption of the metadata to be optional.
>>>>
>>> I like the git way of checking it. This is how to get a complete history
>>> of dropbox.com.
>>>
>>> pass git log --pretty="%s %Cgreen %cr %Creset" | grep dropbox.com
>>>
>>> Of course signature is an additional security.
>>>
>>>
>>>
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>



More information about the Password-Store mailing list