@prologic@twtxt.net @movq@www.uninformativ.de this is the default behavior of pass
on my machine:
I add a new password entry named example
and then type pass example
. The password I chose, “test”, is displayed in cleartext. This is very bad default behavior. I don’t know about the other clis you both mentioned but I’ll check them out.
The browser plugin browserpass
does the same kind of thing, though I have already removed it and I’m not going to reinstall it to make a movie. Next to each credential there’s an icon to copy the username to the clipboard, an icon to copy the password to the clipboard, and then an icon to view details, which shows you everything, including the password, in cleartext. The screencap in the Chrome store is out of date; it doesn’t show the offending link to show all details, which I know is there because I literally installed it today and played with it.
@abucci@anthony.buc.ci Hmm, I see what you mean. 🤔
From a “UNIX” point of view, the current behavior feels correct. By default, print to stdout. If you want something else, then you have to specify a flag. That’s what a lot of UNIX tools do.
Now, it’s up for debate if this kind of behavior is appropriate for a password manager. 😅
@abucci@anthony.buc.ci I suspect that people might argue: “If we change the default behavior, then a ton of tools will have to be updated as well, so we can’t do that.” One way to alleviate this issue could be: Have pass show
refuse to print clear text passwords if stdout
is a terminal. 🤔
@prologic@twtxt.net Then we’ll add a pass --force show
or something. 🥴
@abucci@anthony.buc.ci I often need to see plaintext password to input them in other devices, but I agree that it should be a second step not the default behaviour.
In many mainstream managers it requires clicking on an eye button 👁️
@abucci@anthony.buc.ci passwordless FTW 😁
Or Single Use Passwords, or authentication with Key Pairs. Not having to manage, see and type characters.
Sadly, everything uses passwords, so… 😐
@abucci@anthony.buc.ci interesting. I’ll take a look. With BitWarden I don’t need to do that, and it cleans the clipboard after a few secs, but I understand you use case. I’m looking for alternatives to BitWarden, but as we’ve discussed, there are many differences to take into consideration.
On watching passwords in plain text I mean typing passwords on some strange devices like TV sets, public or family computers (risky!), Xbox, Switch. I like that now many offer a “Login with another device” that simplifies that process if you already have a session on a mobile.
@abucci@anthony.buc.ci yeah, I just found it this week, and looks very complete as a replacement to BitWarden.
I should run an instance soon. Although I’m deciding if I stay with Warden passflow or I jump to another manager. (Vector is looking cool as well)
Have you used VaultWarden? Any advice?
@abucci@anthony.buc.ci So.. The issue is that its showing the password by default? Would making an alias to always include the -c help? We can probably engage Jason with a PR to enable a more hardened approach when desired. I’ve spoken to him before and is generally a pretty open to ideas.
I found this app that was created by the gopass author that does copy by default and has a tui or GUI mode https://github.com/cortex/ripasso