What does HackerNews think of gopass?
The slightly more awesome standard unix password manager for teams
I also (in looking through other threads) found https://github.com/gopasspw/gopass and by reading the code learned how TOTP works.
Initially, I had used the `gopass`. It is probably the most convenient way to start using the password-store. It is cross-platform, 100% compatible with pass & pass-otp. To copy the password, you basically type the part of the file you are looking for. If you type "gopass show github", it will display a TUI, where you can select the file you are looking for (let's say you have two files "personal/github.com.gpg" and "work/github.com.gpg"). Unfortunately, the search function was far from perfect, and it had a problem with typos like "gtihbu" at the time, when I was using it.
To get rid of this issue, I decided to adapt pass/gopass to use `fzf` [2]. In the same time, my .password-store/ dir was rapidly growing that made me think about implementing pass from scratch. I improved the implementation to have better caching, synchronization between machines/mobile, but more importantly - a simple `secret [arg]` command that will execute `fzf` to list all known creds and simplify selection of the password. Of course, it accepted an argument that was limiting the results, which is great when you need to get back to the previous credential to retype something.
The introduction of `fzf` made it really convenient, and I decided to add more commands with fuzzy search, such as:
- `otp` - limits results files containing TOTP/HOTP token, calculates and copies it to the clipboard.
- `secret-edit`, `secret-remove`, `secret-show`... aliases to sub-commands that open `fzf` command in multi-selection mode, so by utilizing space key I could select what files are meant to be modified, removed, displayed etc. Quite handy for mass-edit.
- `secret-qr` - similar to the gopass' feature, but it made a simplified way to create and display QR codes dedicated to share contacts, WiFI SSID+password combination (etc.) to someone who was asking for creds from me.
Awesome, but alt-tabbing to the terminal got me annoyed after a few years of using it that way. I started pursuing for more sophisticated interface. I decided to give `rofi` [3] a try. I managed to fork that repo and also adapt to my convention of using password-store, but I left i3 for a macOS.
Currently, I have started working on a browser extension that takes care of suggesting password-store creds (based on the path, input parameters, location on the website etc.) similarly to what uBlock Origin does. That configuration is passed to my pass implementation, so on the github.com, my browser have only "work" and "personal" auto-suggestion, when I am focusing the text input.
I plan to create a similar app to Shortcat [4], but it will preserve the information what credential has been asked for the focused app. I think, with VoiceOver assistance, it is more than possible to mitigate the need for alt-tabbing to the terminal for electron/native apps.
[0]: It is a private repository, maybe when it will be polished enough I will open-source it.
[1]: https://github.com/gopasspw/gopass
[2]: https://github.com/junegunn/fzf
[3]: https://github.com/alecdwm/pass-rofi-gui
Edit: About the AWS login form. I strongly recommend giving `aws-vault` (https://github.com/99designs/aws-vault) a try. It helps you skip the login form with a simple command e.g.: "aws-vault login acme-corp --duration 2h". I find it better than `aws-mfa` on my dev machine.
I don't want to be that one who points it out, but - how about switching to the password-store [0] (or gopass [1] - way easier), which works under all operating systems and keeps secrets versioned (via git).
With pass(1) you name your credentials accordingly to their purpose. For example, you could use following naming pattern: [client-name]/[website/subject]/[secret-name]. e.g. acme-corp/github.com/ssh/public-key, other-client/github.com/account, personal/gmail.com/password etc. That way, removal of old/unused secrets is just simple as doing "gopass rm -r [client-name]". There are also many more commands to list or print a tree of stored credentials.
Generally speaking, pass(1)/gopass(1) is a very simple way to manage credentials. I can't say how much I recommend that flow instead of using KeePass or plain-text files. Additionally, if you need those secrets on mobile phone there is an Android app [2] that might be very handy in some situations. This Android app and also gopass(1), have OTP code calculator (similar as in Google Authenticator), so you might be more happier with adapting yourself to use 2FA.
[0]: https://www.passwordstore.org/
[1]: https://github.com/gopasspw/gopass
[2]: https://github.com/android-password-store/Android-Password-S...
However, I primarily use it for the `gopass search` output. This is where `pass` really sucks for those who copy-paste.
Crossplatform, git versioning, gpg security (allows you to integrate with smartcards and tokens that you might already have in place for your employees).
Decent UX too, works with clipboard, supports totp.
They both store passwords/data in gpg-encrypted files in a git repo. I'm not sure what the state of GUIs/browser plugins are for it, but I'm pretty sure there are some out there.
You can also set up your git config to be able to diff encrypted .gpg files so that the files are diff-able even though they're encrypted.