I recently discovered gopass as a nifty tool for managing passwords. Because I also moved my GPG key to a nitrokey, I now have a rather secure approach to managing passwords.

Of course, there are several drawbacks to gopass, if you don't have a HSM that needs physical approval of a decryption request, but as always: security and usability have conflicting interest most of the time.

I'm quite happy with the current setup, as it integrates nicely into my workflow and works with windows as well. Since the nitrokey can also be used for ssh-auth, I have a one tool to rule them all solution with enough security for my personal needs.

Using a yubikey could have been a better choice, as some versions of the yubikey need confirmation for decryption requests. This would allow me to simply plug in the key when I start working, enter my PIN once, and then only press the key every time a decryption is needed, which is quite seldom.

The nitrokey approach suffers here, as a trojan could possibly dump all my passwords, as it just has to issue a decrypt request once I have entered my PIN. I am too lazy to unplug the nitrokey after each time I use it...

For personal use, this should be enough security anyway, and I don't have to rely on the cloud for my passwords.