In my work we often us pass to store team intern shared secrets. It's a pretty simple wrapper, which encrypts every password in a file (using gpg), can be combined with git and is just easy to use. (By the way it's from Jason A. Donenfeld, who also is behind WireGuard, which is the hip new VPN.)

As always the ArchWiki has an awesome documentation on how to set pass up. The most complicated part is, that you need an GPG key. For key generation a shameless plug of my colleague's blog post on generating a new GnuPG key.

The remaining setup is really simple:

pacman -S pass
# replace with your key id
pass init B528DAC8C4CE9F1DD40FCEA498528C52F33E51D7

After that you can insert your passwords:

# for just storing a password
pass insert example.com/Username
# for multiline content
pass insert -m example.com/Username

I generally use the scheme where the folder is the URL of a website or a pretty clear category such as wifi and the file name is the username or e-mail address used to log in. If your migrating from another password manager, maybe thats supported by pass-import.

Multiline content allows you to store more information on an account than just a password. The password always has to be placed in the first line. The other lines can be filled with whatever you like, e.g. answers to security questions (always use random "answers" and not the real answers, since it's pretty trivial to social engineer most security questions) or with your username, if you didn't want to use the file name for that. If you want to store the username in a multiline file, you should prefix the line with 'login:' 'user:' or 'username:', since some scripts (such as browserpass below) assume this formatting.

Browser extension

For Firefox and chromium-based web browsers you can use browserpass (also works with vivaldi).

On Arch Linux just install it from AUR with

yay -S browserpass

Usage is simple: On the site where you want to log in, you click on the lock icon. Then you search for the password file, enter your PGP key passphrase and the extension fills in the login form. The username is extracted from the file name or the content of the pass file, if there is a line starting with 'login:', 'user:' or 'username:'.

Pass addons

I ony learned about this addons when researching for this blog article, but they are really cool:

pass-otp supports storing and generating of TOTP tokens within pass. Of course you need to make sure you don't break the second factor principle with this. E.g. you must not store password and TOTP secret on the same device, only being protected by one single master password.
pass-audit checks password quality using zxcvbn (a more advanced algorithm for guessing password strength) and haveibeenpwnd (a web service with a list of leaked passwords).
pass-update simplifies the process of updateing passwords by printing it and then generating and storing a new one when you are ready.

Bonus

Encrypted text file

The first iteration of password management I used (for many years..) was to simply store passwords and other login details in a text file, which was encrypted using gpg. vim can be configured to decrypt on opening and encrypt on writing with this snippet:

" Settings to edit gpg files with vim without leaving decrypted data on the hdd
" Don't save backups of *.gpg files
set backupskip+=*.gpg
" To avoid that parts of the file is saved to .viminfo when yanking or
" deleting, empty the 'viminfo' option.
set viminfo=

augroup encrypted
  au!
  " Disable swap files, and set binary file format before reading the file
  autocmd BufReadPre,FileReadPre *.gpg
    \ setlocal noswapfile bin
  " Decrypt the contents after reading the file, reset binary file format
  " and run any BufReadPost autocmds matching the file name without the .gpg
  " extension
  autocmd BufReadPost,FileReadPost *.gpg
    \ execute "'[,']!gpg --decrypt 2> /dev/null" |
    \ setlocal nobin |
    \ execute "doautocmd BufReadPost " . expand("%:r")
  " Set binary file format and encrypt the contents before writing the file
  autocmd BufWritePre,FileWritePre *.gpg
    \ setlocal bin |
    \ '[,']!gpg --symmetric
  " After writing the file, do an :undo to revert the encryption in the
  " buffer, and reset binary file format
  autocmd BufWritePost,FileWritePost *.gpg
    \ silent u |
    \ setlocal nobin
augroup END

You can even automate it more with the following snippet (if you save in the format password url/username/whatever-identifier):

# Print the password for given service
function pw() {
    gpg -d password-file.gpg 2&>/dev/null | grep $1 | awk '{printf "%s",$1}' | xclip -selection clipboard
}

XKCD pass

No blog post on passwords would be complete without a reference to https://www.xkcd.com/936/. Unfortunately pass doesn't have support for it (yet? maybe time for a merge request for pwgen...). But of course you can use your favorite password generation tool to feed passwords into pass.

Further reads

Nice blog series on pass and crypto on Linux in general: https://sanctum.geek.nz/arabesque/gnu-linux-crypto-passwords/

simon-dreher.de

Password management on Linux