I mainly use pass as the password manager on my device. In this article, I’ve collected some convenient tips for using the program.
You can copy lines other than the first: for example
pass -c2 password/name
copies the second line of the password stored in
Here is a short fish shell function which first copies the login information to the clipboard, and then the password (after confirming the prompt):
function psk --wraps='pass show' set -l username (pass show $argv | string match -r ".+:\ (.+)" | head -n 2 | tail -n 1) if test -n "$username" echo -n "$username" | pbcopy echo "Copied $argv login to clipboard." read -p 'echo "Press ENTER to continue "' else echo "$argv has no login" end pass show -c $argv end
The username is extracted from the first matching line of the form
You don’t need to use
username: any string not containing the substring
: is fine.
If there is no matching line, the password will be immediately copied to the clipboard.
To use this function, call it like
Autocompletions are provided from
pass show by the
For this use case, I’ve also written a small fish plugin.
It implements this behaviour in a more well-defined way (using
yq to parse YAML), along with a couple extra features.
pass generate -i password/name
generates a new password in
password/name, which only replaces the first line (preserving the other information).
With this, we can write a utility function to update existing passwords:
function psu --wraps='pass show' pass show -c $argv read -p 'echo "Press ENTER to generate replacement password "' pass generate -ic $argv > /dev/null echo "Copied updated password to the clipboard" end
control the characters which are used when
pass -n) is used to generate a new password.
Under the hood,
pass generates the password by piping from
/dev/urandom and using
tr -dc to remove characters which do not pass the allowed characters list:
tr -dc "$characters" < /dev/urandom
The default value is
[:punct:][:alnum:] (all ASCII numbers, letters, and punctuation) for the general character set, and
[:alnum:] (only numbers and letters) for the character set with no symbols.
man tr for a description of other possible options.
It is also possible to change the default password length (which is 25). For example, if you want 50 character passwords, just
set -x PASSWORD_STORE_GENERATED_LENGTH 50
First, create a
gpg key with no passphrase:
gpg --batch --passphrase '' --quick-gen-key <no-auth-key-id> default default
Now, choose a subfolder to encrypt using the new key:
pass init -p <no-auth-foldername> <no-auth-key-id>
Any password stored in this subfolder will not prompt you for authentication! This is useful for passwords which you may want to use in a non-interactive environment.
When you enter your password to unlock your GPG key associated with the password store, there is a delay before you are required to provide your password again. There are two relevant values here:
default-cache-ttl, which defaults to 600 (i.e. 10 minutes), and
max-cache-ttl, which defaults to 7200 (2 hours)
default-cache-ttl is how long the password remains cached from the last time you entered your password, and
max-cache-ttl is the maximum possible time that the cache can exist.
In other words, as long as you keep using the key every 10 minutes, you will only be prompted for your password once every 2 hours.
In order to change these values, add the lines (say)
default-cache-ttl 3600 max-cache-ttl 86400
to the file
This sets the default timeout to 1 hour, and the maximum cache time to 24 hours.