For years I’ve used 1Password. I am no longer using it.
I’ll admit that’s extremely blunt and can be perceived as setting the tone for the entire article where I outline crummy things about 1Password. Nope. I just don’t agree with the direction they are taking with the application. In this post I would like to describe my experiences and show what I am using now to replace 1Password.
There is a movement lately toward a subscription-based model for software. The traditional model of perpetually licensing paid software seems to be dying. Some say it is because Apple’s App Store is extremely restrictive and has destroyed the traditional software market by poo-pooing paid upgrades. Others think it’s because of pirating. There is some truth to the former, but it obviously doesn’t tell the entire story. The latter is bullshit. For instance Adobe’s Creative Cloud software has never been easier to pirate. Historically the biggest barrier to pirate Adobe software was downloading the full software version; that’s extremely easy today. The best part about it is that pirates even get a better user experience.
When software has moved to this model wanting me to fork over a portion of my monthly income for software in perpetuity (unless I unsubscribe), I haven’t obliged yet.1 Overcast switched to a model where it displays ads unless you pay for a subscription. iOS automatically updated it, and there I was being effectively ransomed for money from an application whose last version I paid for and could not return to. I deleted it immediately and started looking for alternatives.
1Password switched to a subscription model, but to their credit they haven’t stopped their software from working for people who paid for licenses in the past unlike others have. However, there are new features unique to the subscription model. Their customer service has been quite good, and they have helped me since with issues I’ve had. I just can’t use software that won’t really be updated and eventually won’t be supported. Needless to say I won’t subscribe to their software either.
Subscription software is a scam, and in my opinion it should be illegal unless the customer is allowed to keep the software as is at the point of their subscription’s termination. I subscribe to National Geographic, a monthly magazine. If I stop subscribing to the magazine, I still have the magazines I received while subscribed. Upon cancelling the subscription the software ceases to function or — as is the case with Overcast — starts displaying ads anew when you stop forking over money to the company. We should stop referring to it as a subscription and call it what it is: rentalware. It’s a racket that many crooks in the past would have loved to be able to legally do; today people accept it as the norm.
In a world where people pay a rental fee to listen to music they could otherwise own I’m not holding my breath for a change.
Looking for an Alternative
I originally wanted to ramble a bit on about free software, but I came to the conclusion that was pretty much what it was — a ramble. Free software is free. It doesn’t cost you anything, but it can be clunky and support usually antagonistic with neckbeards telling you stupid shit like “RTFM” all the time. These points were tangential to what I’m wanting to say here, so having outlined what made me want to jump ship from 1Password let me get on with describing my journey to what I eventually decided upon.
There are other alternatives to 1Password of course ranging from rent-for-advanced-features LastPass to free KeePass and its many derivatives. I really shouldn’t need to say why I didn’t want to use LastPass, but aside from the fact that the password storage is not in the user’s possession multiple security breaches2 are a nice reason not to use it. I first tried out KeePass, and I found that while the vault format itself was solid the software was not. There is not a single client that works worth a crap on macOS except KeeWeb, and it’s an Electron application3. KeePass-compatible browser extensions are even worse and don’t even provide a modicum of the functionality 1Password’s or LastPass’ extensions provide. I also have looked at Bitwarden which is a server-based solution where I install it on my server and use applications to access the storage there. I fully intended on installing it on my server despite its heavy use of a Microsoft software stack that I don’t otherwise use, but I discovered something else first.
- Write programs that do one thing and do it well
- Write programs to work together, expecting the output of every program to become the input in another
So… I replaced 1Password with a command line program? I did, and I’ll admit now it’s not for everyone. The downside to the Unix philosophy comes from its greatest strength in that the software isn’t monolithic; it’s just one tool in a chain of tools instead of a single application. Granted, with 1Password there are three parts: 1Password, its browser extension, and 1Password Mini (what actually interfaces with the extension). Those are all three pieces of a whole though, installed with the first piece. Pass is only really the second link in a chain.
Pass works a lot differently than other password managers. It doesn’t create a vault-like database to store your data. In the typical Unix manner it utilizes the filesystem. Rearranging and organizing your passwords and secure data is simply a matter of moving files around. Pass does not enforce any format for organizing your data; each secret file is a simple text file with key/value pairs with the first line’s being the password. A hypothetical website secret file would be like this:
Each of those files is encrypted with a GPG key. Pass simply provides a way to access these files and decrypt them on the fly.
Setting up Pass
I use macOS, but installation is trivial on other Unix-based systems and is even available for Windows.
During the installation process Homebrew (or whatever package manager you have) will install GnuPG which is what handles the GPG keys and does the decryption and encryption of the files. If you’ve ever sent an encrypted email you’ve used this before. Before using pass a public/private key pair must be generated, so that is what the second command is doing.
As a helping hand to Linux users be advised pass expects gnupg2, so the command might be
gpg2 for you. It’s an interactive prompt so just follow the on screen questions. Generate one with these properties:
|Kind||RSA & RSA (default)|
|Key validity time||0 = key does not expire|
It will in addition to these ask for your name, email address, and a comment. The comment is an identifier for the key. I used “Password Store”; use whatever you’d like. Keep your keys safe. If you lose the keys you will not be able to decrypt the passwords. Earlier when showing how to install pass via Homebrew I included
pinentry-mac. This is a command line program which interfaces with GnuPG to show a GUI dialog box for you to put in your password — very convenient. GnuPG just needs to be configured to use it:
~/.gnupg is where the keys are stored, so the configuration file needs to go there.
default-cache-ttl specifies how long it is cached in seconds. This means that after inputting the password it won’t need to be input for 5 minutes, so if you’d like a different time specify whatever you’d like. The default is 10 minutes, and I thought that was too long. You’ll need to restart gpg-agent for the settings to apply. Above I just kill the process. That’s okay; it’ll just relaunch the next time it is needed.
Pass is ready to use now, and initializing a password store is simple:
"Password Store" is the comment for the GPG key that was generated earlier. Doing that will create a password store in ~/.password-store. Inserting passwords isn’t difficult at all but is beyond the scope of this post. Pass’ manual provides numerous examples and is really easy to follow. I should say if migrating from 1Password the script provided on pass’ website doesn’t create a password store that is organized very well.
There is a browser extension for Firefox, Chrome, and Chrome derivatives called Browserpass which can access your password store. There is currently no Safari extension. I am not sure whether it is because no one has yet been interested in making one or if Safari’s extension API doesn’t support what Browserpass needs. If I had to guess it would be the latter.4
Unfortunately, there are multiple parts to this. In addition to the extension itself a messaging interface needs to be installed to communicate with extensions. Because of some really stupid shit browserpass isn’t in Homebrew. I can sort of understand the Homebrew owner’s logic on this, but all Homebrew needs to manage is a command line tool and not the extensions themselves. Something is said about a “better and safer experience” if they can install the command line tool and the extensions all in one go. They’re right; that’s great in theory, but Chrome prohibits management of extensions via its extensions page if the extension is managed by something else other than the browser; no thanks. Thankfully one can create their own repositories in Homebrew, so I have created my own largely using what was worked on in the issue I linked to earlier.
When done it will tell you that you will need to install the extensions (duh), but also a browserpass-setup command needs to be run which copies the appropriate messaging host file to the browsers. I have Chrome, Firefox, and Vivaldi installed on my computer, so I told it to install those. Install what you need. Perhaps when I get some time in the future I’ll have the formula auto install them for you to save this step.
This is it. Browserpass should now work in your browser(s). One caveat to note with the extension is that it expects the filename of password files for websites to be in the format of
domain.tld. It doesn’t matter how many folders deep you have it, though. You do not have to put your store in a format like this, but autodetection by the extension requires this format because decryption of the password file doesn’t happen until you click to fill in the form and you provide your passcode. Consult Browserpass’ requirements for more information. Another caveat is that it does not help in creation of passwords yet; that is being discussed, though.
One thing I didn’t mention is syncing. The accepted manner by the community (and one where pass does provide a small bit of help with) is using a private remote Git repo to sync to different devices. Git isn’t user friendly to even seasoned users, so I can understand averseness to using it. You can thankfully use whatever service you wish; just needless to say make sure it’s a secure one.
Like I said there was a good bit to set up, but this approach does provide me with quite a bit of freedom that I rather enjoy. Everything is encrypted with a format that is openly available, independently tested, and useful for more than just password storage. The best part is that I don’t have to rent software. Pass doesn’t end here. There are mobile apps for iOS and Android available. Surprisingly enough the iOS app works really well. I was thoroughly shocked when I first tried it out to find a working and free iOS app that didn’t contain any bullshit. I haven’t tried the Android client yet, though. There are many plugins for Pass as well that does stuff like OTP5 and vaulting with Tomb along with a compatible alternative called gopass which contains extra features not found in the official executable; either or both can be installed and not affect each other or Browserpass.