@prologic@twtxt.net @movq@www.uninformativ.de this is the default behavior of pass on my machine:

Image

I add a new password entry named example and then type pass example. The password I chose, “test”, is displayed in cleartext. This is very bad default behavior. I don’t know about the other clis you both mentioned but I’ll check them out.

The browser plugin browserpass does the same kind of thing, though I have already removed it and I’m not going to reinstall it to make a movie. Next to each credential there’s an icon to copy the username to the clipboard, an icon to copy the password to the clipboard, and then an icon to view details, which shows you everything, including the password, in cleartext. The screencap in the Chrome store is out of date; it doesn’t show the offending link to show all details, which I know is there because I literally installed it today and played with it.

@abucci@anthony.buc.ci I think you raise a good point really, in that the default should be to copy to clipboard IMO. Hmmm 🤔

@abucci@anthony.buc.ci I think you’ve raised such a good point, I’d encourage you to raise this upstream with gopass, possibly even submit a PR 👌

@movq@www.uninformativ.de

Now, it’s up for debate if this kind of behavior is appropriate for a password manager. 😅

This is worth the debate for sure. As an aside, whenever I have to show the password on the terminal for some reason or another, I always make sure I clear the terminal buffer and history with ^L^R 😅

@movq@www.uninformativ.de

refuse to print clear text passwords if stdout is a terminal

But then you lose the very rare (admitely) use-case of:

1. I generate a strong password and store it
   
2. I then show the password on my terminal
   
3. Get my wife/daughter to manually type it in to another device
   

🤣

@abucci@anthony.buc.ci I often need to see plaintext password to input them in other devices, but I agree that it should be a second step not the default behaviour.
In many mainstream managers it requires clicking on an eye button 👁️

@abucci@anthony.buc.ci passwordless FTW 😁
Or Single Use Passwords, or authentication with Key Pairs. Not having to manage, see and type characters.

Sadly, everything uses passwords, so… 😐

@abucci@anthony.buc.ci interesting. I’ll take a look. With BitWarden I don’t need to do that, and it cleans the clipboard after a few secs, but I understand you use case. I’m looking for alternatives to BitWarden, but as we’ve discussed, there are many differences to take into consideration.

On watching passwords in plain text I mean typing passwords on some strange devices like TV sets, public or family computers (risky!), Xbox, Switch. I like that now many offer a “Login with another device” that simplifies that process if you already have a session on a mobile.

@abucci@anthony.buc.ci yeah, I just found it this week, and looks very complete as a replacement to BitWarden.
I should run an instance soon. Although I’m deciding if I stay with Warden passflow or I jump to another manager. (Vector is looking cool as well)

Have you used VaultWarden? Any advice?

@abucci@anthony.buc.ci So.. The issue is that its showing the password by default? Would making an alias to always include the -c help? We can probably engage Jason with a PR to enable a more hardened approach when desired. I’ve spoken to him before and is generally a pretty open to ideas.

I found this app that was created by the gopass author that does copy by default and has a tui or GUI mode https://github.com/cortex/ripasso

@abucci@anthony.buc.ci So.. The issue is that its showing the password by default? Would making an alias to always include the -c help? We can probably engage Jason with a PR to enable a more hardened approach when desired. I’ve spoken to him before and is generally a pretty open to ideas.

I found this app that was created by the gopass author that does copy by default and has a tui or GUI mode https://github.com/cortex/ripasso