Pass: using time-based one-time passwords - TOTP


If you don’t use a password manager or are still undecided on picking up one, I strongly recommend you to have a look at pass - the standard unix password manager, which boils down to applying the Unix philosophy to password management.

Quote of the first introduction paragraph:

Password management should be simple and follow Unix philosophy.
With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.
These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.


If you are a bit serious about the security of your accounts, the next step after a rigourous management of your passwords is to use Time-based One-Time Password algorithm where available.

Luckily, amongst all the pass extensions, there is one to manage TOTP secrets.

Pass/TOTP on macOS

You can install the extension either using: (more in the README)

  • Brew: install the oathtool dependency then clone the Github repository
  • which will nicely take care of everything through sudo port install pass-otp hint: I wrote the Macports port, so use it :D

Then you are ready to go:

  • Append to the entry web/ a TOTP algorithm with the shared secret provided by the website: (-e to echo your input)
% pass otp append -e web/
Enter otpauth:// URI for web/ otpauth://totp/totp-secret?secret=<your_base32_secret>
Retype otpauth:// URI for web/ otpauth://totp/totp-secret?secret=<your_base32_secret>
[master 14bf351] Append OTP secret for web/
 1 file changed, 0 insertions(+), 0 deletions(-)
 rewrite web/ (100%)
  • Retrieve a TOTP secret:
% pass otp web/

And that’s it! More details in the README of the extension Github repository.