I would argue that pass isn't that secure other than when your computer is off.

Namely that it requires copy and pasting. Any program on your computer can read your clipboard.

And for a normal user who are more vulnerable to phishing, there isn't automatic domain checking. It would be their normal work flow to copy a password into a malicious site.

If you install Browserpass for Chrome (there's an alternate for Firefox as well) all you need to do is type in your keyboard command and it'll automatically fill out your info for you on the website.

Meaning: Suppose you go to gooogle.com instead of google.com, the extension won't fill out info because it doesn't recognize you having an user/pass for gooogle.com

This is a basic feature of every password manager I've ever used.

Yes, he's just making the point to the GP, that actually copy and paste is not a requirement to use pass.

Dude if your clipboard is untrusted in your threat model then you have bigger problems. Any program that is reading your clipboard could also be logging your keys, watching your webcam, recording your screen, or exfiltrating your files.

Have a reasonable security model please

The clipboard is extra vulnerable. It requires no privileges at all to read. Up until very recently, JavaScript in your browser could pull content directly out of your clipboard.

Even beyond that, copy and pasting is training users to copy and paste. This is an even bigger threat imho. There is no layer of extra validation.

Can't any program on your computer also just keylog your master password and get your whole database? That's worse than getting individual passwords from the clipboard.

Only a program with elevated priveleges can record keystrokes when not focused. Unpriveleged programs can see the clipboard data much more freely.

Hmm, what if a malicious program modifies your PATH (or creates a bash alias) so that whatever command you use before you enter your master password is now replaced with a backdoored one?

You should specify the full path to the real "pass" when you configure the browser extension. This is a very common problem—with a known solution—in shell scripts since forever.

Is the browser extension configuration owned by root? I thought that would be owned by your user. So the malware could modify that configuration.

> It's encrypted with your keys (which I didn't see on Bitwarden's site)

Same with Bitwarden: https://help.bitwarden.com/article/can-bitwarden-see-my-pass...

I'm interested. Is it more secure than KeePass?

Not especially, but it supports multi user and organisations, so different use cases, although it's a decent choice for personal use too.

How about sharing password with a team?

You can use gopass[0] for that. It's pass but with syncing capabilities.

[0]: https://www.gopass.pw

I should have said non-technical team. Currently we're kicking around passbolt - but, if there is time on Feature-Friday I want to eval BW

In this case, Pass is probably not the right solution for you. It's a bit hard to setup keys and then share them over Git... which is most likely a bit too complicated. This being said, QtPass is a GUI for Pass, but not the best when compared to stuff like Bitwarden (presumably, haven't used it) or Lastpass.