I’ve been a Lastpass customer for several years, and it’s been pretty much the only service I’ve used which stores my data on someone else’s servers (albeit encrypted). I’ve never been particualrly happy with this, but haven’t found a solution that allows me to access to my passwords easily from multiple devices across multiple platforms, so have stuck with it until now.
My Lastpass subscription is due for renewal this month, and this week Lastpass suffered a security breach. This coincides with my discovery of pass, a unix password manager that stores your passwords locally in plain text files encrypted with GPG. It also integrates with git to allow your password store to be easily shared between devices, and has clients for Android (which I need for my phone) and Windows (which I need for work). I decided to have a go at migrating to see how I got on.
Setting up on Linux was straightforward. I’m running Ubuntu 14.04, so installed with
apt-get install pass I generated a key with
gpg --gen-key and ran
pass init to create a password store using the key. I then ran
pass git init to initialise the git repository. Next, I exported my passwords from LastPass using their CSV export feature, and ran the file through this script to import then into pass. Similar scripts are available for migration from other password stores.
I installed the Firefox extension, and it works like a charm, matching the current site and filling in login forms for me.
Before I could install a client on another device, I needed to push the git password store to a server. I logged into my server that’s accessible via the Internet, created a folder and ran
git init --bare since I don’t need to have the files checked out on the server. I then ran
pass git add remote to add the server, and
pass git push to sync the passwords.
For Android, there is a client called Password Store which can be found in F-Droid or the Play Store. First, you need to install OpenKeychain (available from the same places), and import your GPG key. I followed this guide to export my key, copied it to my phone and used the “Import from File” option to add it to OpenKeychain.
In Password Store, I set up the Git repository and synced down my passwords. I then set OpenKeychain the the OpenPGP provider, and I was set. When unlocking a password, Password Store will automatically copy it to the clipboard for a defined number of seconds, then clear it. OpenKeychain allows you to cache your key’s password for a defined number of minutes, so you don’t have to enter it repeatedly. It then forgets it automatically.
Update: I’ve since worked out how to set up pass properly on Windows, including the Firefox extension. See this post for a full guide.
There are several solutions for Windows, none of them are as complete as the Linux equivalents yet (for example, no Firefox plugin). However, you can get a similar copy-to-clipboard-then-auto-delete workflow like on Android.
Firstly, you need to install Git and GPG. I already had msysgit installed which includes gpg, but it’s an older version so I installed GPG4Win as well. You then need to import your key into gpg. I found this was easiest using the gpg CLI in git-bash (see the guide linked above again).
The “Windows Client” listed on the pass website is Pass4Win, but I found this to be buggy. Instead, I went for the “Cross-platform GUI” listed in the site, QtPass. This gives you the option to use native pass, or to use GPG and Git directly. I went for the latter option (be sure to select the gpg2.exe executable installed by GPG4Win, not the older one provided by msysgit).
Running QtPass prompted me to create a password store – I selected the key I’d already added to GPG and it created the empty store. To configure the git repository, I found it easiest to use the command line (it didn’t prompt me for git details in QtPass. I went to the password store directory that had just been created, then ran
git remote add added the remote details to .git/config and ran
git pull Closing an re-opening QtPass found the git repository and I was good to go.
Lastpass has invested a lot in the usability of its solution. The browser plugins and Android apps take care of identifying websites and filling in the password for you. pass is part way there, but still has a long way to go. I’m willing to comprimise on the usability for the peace of mind of holding all my own data. However, I wouldn’t recommend it to anyone who primarily uses Windows, and I wouldn’t want anyone who’s not familiar with what GPG is to try and set it up for themselves. Once set up with the browser extension, it’s certainly a decent alternative to Lastpass on Linux, and a pretty good one on Android.