PR #36 added ability to insert a file, in addition to the previous ability to insert a password.

This feature request is to add ability to edit a file, in addition to already being able to edit a password.

It doesn't seem to be supported right now in v2.1.0:

$ passgo version
v2.1.0
$ passgo edit some-bank/recovery-codes.txt new-recovery-codes.txt
Error: accepts 1 arg(s), received 2
Usage:
  passgo edit [flags]

Aliases:
  edit, update

Examples:
passgo edit money/bank.com

Flags:
  -h, --help   help for edit

As a workaround, it's possible to remove the file entry, and then insert it again.

Hey @ejcx,

I just noticed that passgo v2 no longer uses git to track history of updates to the password vault in ~/.passgo. I wanted to ask what was the motivation for removing that functionality?

For reference, I never used the push/pull functionality to sync the git repo elsewhere, and figured that could easily be done externally (i.e., it makes sense to make that out of scope), but I enjoyed the git history tracking after each password insert/edit/remove operation. It meant I could worry less about accidentally losing something valuable. This feature seems harder to implement outside of passgo.

I'm asking because I'd like to understand this better. Thanks!

Can you provide an example of passgo show with -copy flag?

I see the commit with this logic, but I'm unable to put the right command together. It's not in the usage or readme, does it work yet?

Thanks!

Reproduce steps:

1. cd into ~/.passgo and git status, note that it's clean

2. use passgo insertsite ...

3. do git status, see:

   On branch master
   Untracked files:
     (use "git add <file>..." to include in what will be committed)
   
   	files/
   
   nothing added to commit but untracked files present (use "git add" to track)
   

I suspect it's because git add -u is used to stage files in sync.Commit:

Perhaps git add -A would be more appropriate?

Get a CI build that runs unit tests.

HOLY CRAP!!! Yet another dotfile?????

Jesus fuckin christ i've ALREADY have 117 (!!!) goddamn dot files in my home folder! Why i need another?

This is some kind of madness

It would be nice if there was an option to copy the password to clipboard instead of showing it, either as a prompt or as a flag.

example 1:

> passgo -copy news.ycombinator.com 

Enter master password:
Password has been copied to clipboard

example 2:

> passgo news.ycombinator.com
Enter master password:
Copy password to clipboard [y/n]? y
Password has been copied to clipboard.

If building in password copy does not make sense, another option might be to be able to pass the master password to stdin

example 3:

> echo "no7 50 s3cr7" | passgo news.ycombinator.com | gocopy

Basically, I'd really like to make long complicated passwords, and I dont want to type them in.

Something like https://github.com/atotto/clipboard might come in handy

How does passgo handle conflict resolution between remote and local?

I want to sync between my work and home computer, but sometimes I forget to push at home before inserting a new entry at work, since the JSON isn't prettyprinted I'm guessing either the work data or the home data will be lost to the ether.

Would be nice to include username also along with the password. Is this a possible feature enhancement?

we need to add docs in passgo.go that include passgo insertfile <passgo/path> <filename>

None exist and unit tests should exist.

Hey, saw your quick talk at gopherfest! Giving passgo a try I ran into this:

[user@sandbox ~]$ go get github.com/ejcx/passgo
[user@sandbox ~]$ which passgo
~/gocode/bin/passgo
[user@sandbox ~]$ passgo init
Please enter a strong master password: 
2016/05/17 04:24:53 Could not make initial commit: exit status 128

Despite the error, passgo appears to be working.

[user@sandbox ~]$ passgo insert test/first
Enter password for test/first: 
[user@sandbox ~]$ passgo
.
└──test
   └──first

Lastly, a thought unrelated to the error message (I think). Strong crypto or not, there's no reason for .passgo or its contents to be world-readable.

[user@sandbox ~]$ ls -la .passgo/
total 20
drwxr-xr-x  3 user user 4096 May 17 04:24 .
drwx------ 30 user user 4096 May 17 04:24 ..
-rw-rw-r--  1 user user  724 May 17 04:24 config
drwxrwxr-x  7 user user 4096 May 17 04:31 .git
-rw-rw-r--  1 user user  227 May 17 04:31 sites.json

Lastly (for real), thanks for contributing this!

$ go get -u github.com/ejcx/passgo
src/github.com/ejcx/passgo/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go:38:2: use of internal package not allowed

This would mean that somebody could create a web extension that consumes the service.

If you Ctrl+C when prompted for a new password, STDIN's state will be messed up afterwards.

To reproduce:

$ passgo insert test.com
Enter password for test.com: # Hit Ctrl+C here

At this point try hitting enter a few times and you'll notice the bash prompt piling up on a single line instead of going to the next line. Also any commands you type will not appear in the shell.

Right now we are "shelling out" to git commands. This isn't that great but better options are scarce.

Returning error, right now, only gives us opaque failure messages even when things succeed. We can scrape the exec Command Output for patterns that determine if a particular command was successful or not.

For example a successful push ends with something that looks like this.

  aaaaaaa..aaaaaaa  master -> master  

When attempting to generate a password using the default length, I noticed a runtime panic from passgo. While looking into this I realized that specifically asking for an element of a slice that does not exist causes failure in Golang, more information here.

Go version 1.6.1
Error message:

hunter@eros:~/ownCloud/git/passgo> passgo generate
panic: runtime error: index out of range

goroutine 1 [running]:
panic(0x5728e0, 0xc82000e1e0)
    /usr/lib64/go/src/runtime/panic.go:464 +0x3e6
main.main()
    /home/hunter/ownCloud/git/godir/src/github.com/ejcx/passgo/passgo.go:97 +0xf77 

the edit and clone commands are also susceptible to this error.

Tracking this issue here. Will fix tonight. Fix is already written just need to test.

Well, print password in terminal is really unsage. maybe it's better to paste them into clipboard as default?

passgo generate help says:

passgo generate length=24
	Prints a randomly generated password. The length of this password defaults
	to 24. If a very short length is specified, the generated password will be
	longer than desired and will contain a upper-case, lower-case, symbol, and
	digit.

I've noticed that running passgo generate sometimes generates passwords with greater than 24 length. I've gotten: 25, 32, 37, 39.

It happens with the default passgo generate invocation, but also for other values of length. E.g., when I ran passgo generate 20 a bunch of times, I got lengths like: 24, 25, 32.

To reproduce, run go generate at least 20-30 times.

Is this a bug or intentional behavior which isn't documented?

Hi,

pass, because it uses gpg, comes with the gpg-agent feature that is rather practical (at the cost of being less secure as far as I understand), especially considering that you should have a strong master password (<=> longer to type).

What kind of strategy do passgo users use to avoid entering their master password over and over, if any?

Is there any plan to implement some form of agent to use in combination with passgo?

Hi @ejcx. I saw that you've worked on version 2 of passgo in PR #57, and have released it by now.

I'm not finding much in the release notes or README about compatibility with version 1. Usually major version bump represents a breaking change, that's why I'm not sure.

If I've been using passgo 1.x and have a vault it created, can passgo 2.x continue to work with that vault, or do I need to create a new vault and import my passwords into it?

Thanks!

First of all, thanks for sharing a wonderful software!

Could you add LICENSE file?
The following site may help for choosing a license.
http://choosealicense.com/

Thanks!

Hi again. I've started using and relying on passgo recently, I really like it, and I'd like to contribute to try to make it even better.

When I first tried it, I had to learn the CLI and how to use it, and I ran into a pretty glaring IMO usability issue. I will explain it here, and also propose a fix.

Usability Issue

passgo has quite a few commands:

https://github.com/ejcx/passgo#commands

And it's described as:

stores, retrieves, generates, and synchronizes passwords securely and is written in Go!

So it's pretty clear and storing and retrieving passwords is the core functionality.

Yet when I tried to read about the commands it has in https://github.com/ejcx/passgo#commands, I was only able to find a command to store a password:

https://github.com/ejcx/passgo#passgo-insert-grouppass-name

passgo insert group/pass-name

I looked really really hard and literally spent 10 minutes trying to figure out how to retrieve a password, but it was not documented anywhere at all. I thought it was really surprising given how it's such basic functionality.

After 10 mins of reading the README, trying stuff and looking at the source code, I was eventually able to figure it out, to retrieve the password, there is no command, you just need to type:

passgo group/pass-name

But this is literally not documented anywhere!

Proposed Fix

A very basic fix is to document how to retrieve the password and add it to the README, together with all the other commands that are already documented there.

However, I'd like to propose a slightly different solution.

I think it's a bad idea to not have an explicit command name for something as fundamental as retrieving the password. It's unintuitive, inconsistent, asymmetrical, and makes it hard to document the command. It also has the danger of overlapping with an existing command name (see #16). You can accidentally try to fetch a password for a site called "push" and inadvertently perform an unwanted action.

I think a really good solution would be to add an explicit command for retrieving passwords. That resolves all the issues above with not having a proper command.

What do you think?

When adding sites, some site names should be blacklisted. In particular, if you try to insert a site with the same name as a command.

For example, generating a site with the name "insert" wouldn't allow the user to ever get the password for that site, since passgo insert would invoke the insert command. Of course, the user could solve this by simply renaming the site, but why create the problem from the beginning?