PSA: critical security vulnerability in third-party pass-compatible software, "QtPass"

Niklas Hambüchen mail at
Thu Jan 4 18:33:21 CET 2018

Hello Jason, thanks for this announcement, I think it's effective and
useful to broadcast that here.

On 04/01/2018 17.35, Jason A. Donenfeld wrote:
> All passwords generated with "QtPass"'s built-in password generator

Would it be possible to have QtPass or any other GUIs of this kind have
`pass` generate the passwords for them? That way, it would always use
whatever method `pass` thinks is best for generating passwords.

It would be really great if GUIs like that could really just be GUIs and
delegate all cryptographically relevant operations to `pass`.

To my knowledge, QtPass, beyond being compatible with pass, already has
an option in the settings to use the `pass` executable for all storage
operations. But it doesn't have an option to make `pass` generate the

Does `pass` already have an interface that QtPass could use to let it
generate passwords?

The only info I I've found on this so far is in,
where the QtPass maintainer says:

I'm waiting for the upcoming release of pass which supports a plugin
system and if I recall correctly a straight forward way to select a
password generator too.

from February 2017.

More information about the Password-Store mailing list