I store my passwords using this: https://www.passwordstore.org/
It's a shell script that stores passwords in a git repository, containing one file per entry. The files are encrypted using a GPG key. Because it's just a git repository, you can synchronise it between devices using whatever infrastructure you want. I use a FOSS client for it on iOS, and there was one for Android before I got an iPhone.
I tried using pass once. I like that it follows the Unix philosophy, and I want to like it, but the fact that all of your account names are visible in the clear is a deal breaker for me.
Thanks for the pointer. I use a similar system, but hadn't thought to put the password directory into a git repo.
I'm interested in this, what do you use to host the git repo? Just a private repo on something like github or your own server? How do you backup your private key?
I also use pass. Any forge you feel like is fine (I use gitlab). I backup my gpg key with `gpg —export-owner-trust` and store that backup elsewhere.
Pass has a pretty good ecosystem of plugins/other clients, as well. There are open source iOS/Android clients and browser extensions so once you’re setup the day-to-day experience is not far off from any of the popular hosted password managers.
My only real issue is the dependency on gpg, as it’s pretty long in the tooth and a hassle to operate. (If you are not comfortable using gpg, spend some time learning that before you go all-in on pass!) There’s a fork[1] which swaps gpg for age, but it hasn’t attracted enough attention to get a similar ecosystem of mobile clients/browser extensions, so it’s not a very practical choice IMHO.
[1]: https://github.com/FiloSottile/passage
It's next-to-impossible to implement pass on every device everywhere and have all the same features on each client without reimplementing all of GnuPG. It pushes a lot on to GnuPG.
God help you if you want to use the PGP applet on a Yubikey or smartcard. The pieces all exist, but wiring them all up in a mobile app is hard and the result is janky.
I don't think Age will catch on as a replacement until it has a gpg-agent equivalent to facilitate access.
I run Gitea on my own server. (I didn't switch to Forgejo because it's not in the Debian repositories.) I don't have a backup of my private key... I should do that.
+1 for pass! I use this on my VPS to store secrets. I love that it syncs with GIT. Good stuff
I have used this for almost 10 years now. It's pretty barebones but it seems like the usable lifetime of commercial password managers is 4-5 years before they get enshittified, bought, discontinued, price-jacked, or otherwise made unsuitable for use. "pass" just keeps working.