Alex Rutar

Some Tricks with Unix Pass

January 17, 2022
Written by Alex Rutar

Pass Unix

I mainly use pass as the password manager on my device. In this article, I’ve collected some convenient tips for using the program.

Showing and copying passwords

Copy additional lines

You can copy lines other than the first: for example

pass -c2 password/name

copies the second line of the password stored in password/name.

Copy login and password to clipboard

Here is a short fish shell function which first copies the login information to the clipboard, and then the password (after confirming the prompt):

function psk --wraps='pass show'
    set -l username (pass show $argv | string match -r ".+:\ (.+)" | head -n 2 | tail -n 1)
    if test -n "$username"
        echo -n "$username" | pbcopy
        echo "Copied $argv login to clipboard."
        read -p 'echo "Press ENTER to continue "'
    else
        echo "$argv has no login"
    end
    pass show -c $argv
end

The username is extracted from the first matching line of the form

username: <value>

You don’t need to use username: any string not containing the substring : is fine. If there is no matching line, the password will be immediately copied to the clipboard.

To use this function, call it like

psk password/name

Autocompletions are provided from pass show by the --wraps option.

For this use case, I’ve also written a small fish plugin. It implements this behaviour in a more well-defined way (using yq to parse YAML), along with a couple extra features.

Updating existing passwords

The command

pass generate -i password/name

generates a new password in password/name, which only replaces the first line (preserving the other information). With this, we can write a utility function to update existing passwords:

function psu --wraps='pass show'
    pass show -c $argv
    read -p 'echo "Press ENTER to generate replacement password "'
    pass generate -ic $argv > /dev/null
    echo "Copied updated password to the clipboard"
end

Invoke with psu password/to/update.

Configuration options

The variables

PASSWORD_STORE_CHARACTER_SET
PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS

control the characters which are used when pass (resp. pass -n) is used to generate a new password. Under the hood, pass generates the password by piping from /dev/urandom and using tr -dc to remove characters which do not pass the allowed characters list:

tr -dc "$characters" < /dev/urandom

The default value is [:punct:][:alnum:] (all ASCII numbers, letters, and punctuation) for the general character set, and [:alnum:] (only numbers and letters) for the character set with no symbols. See man tr for a description of other possible options.

It is also possible to change the default password length (which is 25). For example, if you want 50 character passwords, just

set -x PASSWORD_STORE_GENERATED_LENGTH 50

Managing GnuPG with pass

Create passwords which do not require authentication

First, create a gpg key with no passphrase:

gpg --batch --passphrase '' --quick-gen-key <no-auth-key-id> default default

Now, choose a subfolder to encrypt using the new key:

pass init -p <no-auth-foldername> <no-auth-key-id>

Any password stored in this subfolder will not prompt you for authentication! This is useful for passwords which you may want to use in a non-interactive environment.

Change the default timeout

When you enter your password to unlock your GPG key associated with the password store, there is a delay before you are required to provide your password again. There are two relevant values here:

  • default-cache-ttl, which defaults to 600 (i.e. 10 minutes), and
  • max-cache-ttl, which defaults to 7200 (2 hours)

The value default-cache-ttl is how long the password remains cached from the last time you entered your password, and max-cache-ttl is the maximum possible time that the cache can exist. In other words, as long as you keep using the key every 10 minutes, you will only be prompted for your password once every 2 hours.

In order to change these values, add the lines (say)

default-cache-ttl 3600
max-cache-ttl 86400

to the file ~/.gnupg/gpg-agent.conf. This sets the default timeout to 1 hour, and the maximum cache time to 24 hours.

Alex RutarCC BY-SA 4.0
clipgp