I'm using pass as my password manager but I heard a lot of good about bitwarden
so I decided to give it a try, that would be one fewer thing to administrate for
me.
One very important feature for me is having a command line interface because I
have a bunch of scripts that need to be able to query the password manager.
Fortunately bitwarden provides a first party CLI that seems pretty fully
featured, so I was optimistic.
Anyway, I try to install bitwarden-cli through AUR and I see that one of the
dependencies is nodejs.
Oh no.
Right so it's a javascript thingy. I'm a bit shocked, but then I decide that I'm
being silly and it's what all the kids use these days and it's just a
programming language and who cares. So I decide to push forward and install the
binary version of the program (installed size is 65MB, as a comparison point
lastpass also provides a CLI tool written in C that's 0.2MB installed).
Since I don't know how the tool works, I decide to launch it without argument to
get the usage. It takes 0.6 seconds to display the usage. That's with a hot
cache.
Oh no.
So that's the story of how I kept using pass. I know that some people will say
that it's not that big of a deal, and I know that for bitwarden's devs it might
make sense to implement their client that way because it lets you reuse some
code and get good portability, but I just can't even. I'm running on an
overclocked desktop computer capable of executing billions of instructions per
second, I can play 4K videogames at 60 fps but apparently I get 1.6 UPS (usages
per second) with this tool. It unironically makes me sad that this is the state
of software engineering nowadays.
Reading this thread it seems like it's a mess when it comes to privacy too, so I suppose I dodged a bullet.
I agree that the Bitwarden cli is awful. You have to log in, and store the token it gives you manually so that it knows you're logged in.
However, I found https://github.com/doy/rbw , and alternative OSS cli written in Rust, and it's exactly what I wanted. (Disclaimer: I liked it so much I wrote a rofi integration for it.)
I've never had a use for a command line password manager so I've got to ask: how does this fit into your workflow? I'm honestly mostly using a password manager in my browser and on my phone; I don't need command line authentication all that often.
I didn't even know LastPass had a CLI, but it seems like it's a rewrite of the algorithm and surrounded toolset in C.
I can understand why the Bitwarden devs didn't want to go through the effort, though. The tiny minority of Linux-users that want a command-line password manager is not exactly worth a lot of development time, so I figured they just put their JS library in a NodeJS application and called it a day.
I don't do a lot of "serious stuff" on my phone, so whenever I need to input a password there I just display the password on my computer and enter in there, if I regularly needed to access my passwords however my current solution would be unusable.
As for my workflow I don't have any auto-fill on my browser, I just use "pass -c my-password-entry" to put it in the clipboard and paste it from there. It's arguably less secure than having it autofilled I suppose, but it hasn't been an issue so far (and pass clears the clipboard after 45 seconds to mitigate the risk).
Then I have a bunch of scripts for starting my VPN connections, my email client etc...
I should add that my pass's GPG key is stored on a yubikey and I need to physically press the button to decrypt, so that adds a pretty good layer of protection.
So yeah, I realize that my use case is incredibly niche, but I do think that being able to use your password manager in scripts could be useful in some cases even for people who are less enamored with the terminal than I am.
For me I have 1 use case - logging onto a Cisco Anyconnect VPN.
Since I do this multiple times per day I wrote a simple bash script that invokes Anyconnect and supplies the VPN credentials it pulls out of my password manager. I alias this script in my shell environment so it's as simple as typing "vpn" to get logged onto the corp network, saving the hassle of mousing around to get onto the VPN.
One very important feature for me is having a command line interface because I have a bunch of scripts that need to be able to query the password manager. Fortunately bitwarden provides a first party CLI that seems pretty fully featured, so I was optimistic.
Anyway, I try to install bitwarden-cli through AUR and I see that one of the dependencies is nodejs.
Oh no.
Right so it's a javascript thingy. I'm a bit shocked, but then I decide that I'm being silly and it's what all the kids use these days and it's just a programming language and who cares. So I decide to push forward and install the binary version of the program (installed size is 65MB, as a comparison point lastpass also provides a CLI tool written in C that's 0.2MB installed).
Since I don't know how the tool works, I decide to launch it without argument to get the usage. It takes 0.6 seconds to display the usage. That's with a hot cache.
Oh no.
So that's the story of how I kept using pass. I know that some people will say that it's not that big of a deal, and I know that for bitwarden's devs it might make sense to implement their client that way because it lets you reuse some code and get good portability, but I just can't even. I'm running on an overclocked desktop computer capable of executing billions of instructions per second, I can play 4K videogames at 60 fps but apparently I get 1.6 UPS (usages per second) with this tool. It unironically makes me sad that this is the state of software engineering nowadays.
Reading this thread it seems like it's a mess when it comes to privacy too, so I suppose I dodged a bullet.