PASS: a Password Manager & Two Factor Authentication (OTP) with no Cell Phone

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video i'm going to talk about the only password manager that ever matters and that is pass and it's the best not just because it is the most minimal and therefore most extensible uh and also full of i mean you know devoid of junk but it can also do things like otp one-time passwords and two-factor authentication i don't use i don't use a cell phone for that kind of stuff whenever you know that might be a big pain using otp uh if you don't use something like pass it's very nice you can anyway i'm just gonna talk about let's talk about pass okay so passes in basically every linux repository um i also recommend you go ahead and get pass otp if you want to do one time passwords i'll explain doing both of them in this video um so pass is actually it's it's really just a shell script if you look at it it's not like a compiled binary it's a very simple program um and it uses gpg in order to use it you have to have a gpg key pair so in case you haven't generated one let's generate one so um you want to run gpg full gen key and when you run that it's gonna it's gonna bring up some stuff it's not super important uh this isn't so important for this video but just mostly choose the default so i'm gonna choose the default here i'm gonna say 496 bits long i'm gonna say my key doesn't expire i'm going to say yes to that and you give it a real name i'm going to say my name is billy smith my email address is going to be billy larbs.xyz um and then doesn't really matter anything else just say okay and it's going to ask you to secure your password with some kind or secure your key pair with some kind of password and how this is going to work is you are going to basically uh the pass is going to use gpg to encrypt all of your passwords so only people with your gpg private key pair can view those and of course in normal circumstances that is only going to be you ever okay never give anyone your gpg key pair or well give them your public key not your private key right if they have your your public key um we can actually gpg k and it will show you oh here we have this public key that we can give out to people um they can encrypt mail to you or anything else to you but that's not important for this video let's talk about pass once we have a gpg key pair we can run pass init and then give it the email address for your gpg key pair now this does not have any notice that this address billy larbs.xyz does not actually exist it's not you you want to choose an email address to identify yourself but you're not logging in like the password i put in for it has nothing to do with your email password okay now once i've init i i've been knitted to pass i can now store passwords and it's very simple i can say this pass add let's add a password let's call it email this is going to be the password for my email um and it's going to ask you to insert that so i'm going to give the password i use for all of my email um okay so i've done that now that password is saved specifically pass uses gpg and encrypts it in a file on in your home director in you know in a hidden directory on your home directory so no one can see that no one can see it unless they have your private key but if you have pass you can run pass and then email and it will show you your password now of course you have to unlock your gpg key pair um i will go ahead and say that i usually have this unlock by default when i log in you can set that up uh if you look up pam gnu pg it will do it for you automatically but in this case i'm going to unlock it by putting in my gpg password which in this case is password um and it shows you the text of your the password you saved in this you know your email password right so let's add another one let's say pass add uh my work pass this word i don't know um so i'm gonna just put in something here okay so now we have another password saved we can look at it by running pass and work and it will show me the text that i put in for that okay so remember although all of these passwords are now easily accessible you can easily have them come up in scripts but they're also secure no one can get these passwords unless they have access to your home directory they have access to your gpg key pair and they have your gpg key pairs password okay all of them are now secured under one system now if you just run pass or pass ls it will just show you a list of all the passwords you have additionally you can use this command pass menu this is nice if you want to you can bind this to a keyboard shortcut you can put it somewhere else so you can insert a password it uses d menu you need d menu installed but you should have d menu um and it will give you a list of all the different passwords you've inserted in a d menu prompt and you can start typing one in and select that and it will copy it to the clipboard so i can then paste it in because it's now in my clipboard i can paste it in any kind of browser or something like that you can also use pass menu type and in that case it will type it out now you might say what's the difference between just running pass email and then selecting in the d menu prompt well that's because the d menu prompt of course you can use it in your browser or something like that where you're not getting standard output in case that isn't obvious um so that is a nice way to keep your passwords uh nice and secure now as i said um they are all encrypted with gpg meaning that you're usually i mean when you log in you'll have to give your gpg password or gpg key pair password and it will unlock all of these i use pam gnu pg look that up if you want it automatically un unlocks your pat your key pair when you log in so i don't have to worry about that little prompt that came up every once in a while and if you rerun it every once in a while after a certain amount of time goes by it'll come up again and you'll have to reunlock it all right so the other thing i mentioned that pass can do that's very nice now and i want you to go ahead and think about it if you haven't thought about it already this is great because you can since it is a command line application you can also use it in a script so this is what i use in like mut wizard to secure people's passwords it uses pass and so when they log in with their they don't have to put in their email or their email password it's automatically secured with pass when they send an email or something they don't need to do that so that's the nice thing about that all right so the other thing that it can do is let's say you have some kind of service where you have two-factor authentication they want they want you to have a one-time password where you log in with your your password but then they ask for some kind of pass like some kind of six numbers that change every so often you've probably had to deal with this now i've excuse me i've actually made a little qr code here and this is for a fake otp uh usually what happens is they'll be like okay scan this qr code use it on your your google cell phone application um and then it you can log into our service extra secure we don't need google or cell phones for that we can actually use pass if you have pass otp installed so let's deal with that so let's say you have this image here and you download it on your computer now first off you can use the program z bar image to take that file and you can actually look at the content of that qr code and the content of that qr code is something that looks like this this is what like an otp uh you know what an otp sort of hidden password generator thing looks like now obviously this is one i just made up because it's like a bunch of a's normally it'll be a bunch of random letters here and you'll have like whatever service is giving it to you um whatever you're trying to log in with sometimes it'll have your email or something else that identifies you um but this this one of course is fake uh but anyway how do you integrate something like that into pass it it actually is not too difficult uh once you have pass otp um first off as i said we will use let me actually make this bigger um what you all you have to do is install pass otp and say pass otp add and then we'll give it a name we'll say um i don't know what is this going to be this is going to be my domain registrar so we'll say registrar otp okay then it's going to ask for a otp uh password thing or the the otp thingy i don't even know what it's officially called um but i'm gonna copy this you're only gonna start right here and go on i'm going to copy that put it in there put it in there again bam so that's done now what is that done now if i run pass registrar otp it's actually just going to spit out what it i just gave it but if you run otp and then that uh you know whatever it is the the name of the the otp password it's actually going to give you a your six number uh generator thingy or that your you know the six numbers that it generates and you'll notice as time goes on it will change just like any other kind of otp application and that's how it's supposed to work so you can this is the nice thing about this is um unlike your stupid applications on phones this again is a command line application so you can do something like uh put it in the script log in remotely uh you can i act what i actually have on my uh main login where i actually have all my real passwords is i have a bunch of otp things that i pipe into d menu and i can select one and then it inserts uh the text or whatever but as you see oh look at that it keeps changing it's magical it works um so anyway this has been pass it is the only password manager i think that is worth using i usually just memorize this memorize my passwords but it's especially nice for being able to do things on the command line or using otp um now if you want to talk about syncing them and other stuff like that i i don't do that there are options for it but i won't talk about it in this video you'll have to i don't know stay tuned or something like that but anyway that's it and i'll see you guys next time
Info
Channel: Luke Smith
Views: 32,779
Rating: 4.950501 out of 5
Keywords: pass, password, storage, manager, lastpass, keypass, keypassxc, otp, one, one time passwords, two factor authentication, 2fa, tfa, multi factor authentication, multi, qr, scan, six digit, google, bitwarden, sync, secure, gpg, key, pair, encrypt, local, encrypted, cell, phone, mobile
Id: sVkURNfxPd4
Channel Id: undefined
Length: 10min 44sec (644 seconds)
Published: Wed Nov 11 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.