Yifei's Blog

Appearance

Ditching pass

For the last 4 years, pass has been my password manager. Now, I'm moving on.

Premises of pass:

  • Each password record is stored in an individual text file
  • Each text file is encrypted with GPG
  • These encrypted text files (binaries) can be managed through Git, allowing for easy and secure backups.

Issues with pass

Lack of Active Development

There has been 0 commits made in 2024 so far and only 7 commits over the past 3 years.

It doesn't mean the tech is insecure in anyway. In fact, the implementation of pass is 100% bash scripts, and just invoke git and openpgp under the hood.

The problem extends beyond pass itself to its integration on other platforms.

Poor Cross-Platform Experience

Using pass across devices is difficult, especially with syncing and autofill – features essential for any password manager. Because pass does not enforce a standardized format for password files, integration is cumbersome.

The list of "compatible clients" on the official site is limited, and my experience with some of them has been mixed:

  • The iOS app works well overall but sometimes requires manual intervention to sync with Git
  • Browserpass is functional, though the setup process was challenging
  • the android app is now archived
  • I was unable to get QtPass or Pass4Win to work

To add insult to injury, they show no signs of supporting the emerging authentication method – passkey.

A major factor in these usability challenges is OpenPGP.

OpenPGP Complexity

OpenPGP is notoriously complex, and configuring it can be frustrating. I had the most trouble with the pinentry program – capturing input focus is still an issue.

There are plenty of rants about OpenPGP, GPG usability, and OpenSSL online. I won’t repeat them here. If you’re interested: 1, 2, 3, 4

My usage history

Here are some stats before saying goodbye.

Total number of commits: 456

Total number of files: 237