Password management should be simple and follow Unix philosophy. With
pass, each password lives inside of a
gpg encrypted file whose filename is the title of the website or resource that requires the password.
These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
Contrary to many Free, Libre and OpenSource password managers, pass and by extension QtPass are not bound to one user or device. Since we are based on GnuPG we have multi-key, multi recipient encryption out of the box. The use of external encryption devices like OpenPGP or x509/CMS based smartcards or USB tokens and per-folder ACL makes it easy to grant or take away privileges from users.
All passwords generated with QtPass' built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers.
The generator used libc's random(), seeded with srand(msecs), where msecs is not the msecs since 1970 (not that that'd be secure anyway), but rather the msecs since the last second. This means there are only 1000 different sequences of generated passwords.
We advice to update to 1.2.1 or later as soon as possible and change any password you may have generated with the QtPass' password generator.
Read the changelog for the latest features and fixes.
pacman -S qtpass
yum install qtpass
dnf install qtpass
apt-get install qtpass
emerge -atv qtpass
pkg install qtpass
cd /usr/ports/sysutils/qtpass/ && make install clean
choco install qtpass
brew install qtpass --cask
On most *nix systems all you need is:
qmake && make && make install
On Mac OS X:
brew install qt5 brew link --overwrite --force qt5 xcode-select --install qmake && make && macdeployqt QtPass.app
Using this program will not magically keep your passwords secure against compromised computers even if you use it in combination with a smartcard.
It does protect future and changed passwords though against anyone with access to your password store only but not your keys. Used with a smartcard it also protects against anyone just monitoring/copying all files/keystrokes on that machine and such an attacker would only gain access to the passwords you actually use. Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298 even without your PIN) all your passwords available to the machine can be decrypted by it, if there is malicious software targeted specifically against it installed (or at least one that knows how to use a smartcard).
To get better protection out of use with a smartcard even against a targeted attack I can think of at least two options:
enable-ssh-support write-env-file use-standard-socket default-cache-ttl 600 max-cache-ttl 7200
Also, the following is useful to add to your .bashrc if you are using Yubikey NEO on Ubuntu:
# OpenPGP applet support for YubiKey NEO if [ ! -f /tmp/gpg-agent.env ]; then killall gpg-agent; eval $(gpg-agent --daemon --enable-ssh-support > /tmp/gpg-agent.env); fi . /tmp/gpg-agent.env