Configuration can be either in YAML or sqlite format. The default paths searched for configuration files are, in order:


sqlite is the recommended configuration format. A new sqlite config will be initialized by default at ~/.passacre.sqlite with the passacre init command.

Where sqlite uses dotted names, YAML uses nested mappings. For example, to specify z for the x.y key in YAML:

  y: z

Global options

All of these options are set either as root keys in the YAML document or with the passacre config command for sqlite.


Either true or false (the default). If set to true, any time the user is prompted to enter their password, a confirmation prompt will ask for the password a second time. This helps ensure the correct password was entered.


Either keccak (the default) or skein. Controls which hash algorithm is used to generate passwords. This is just a matter of personal preference and neither one is better. Can safely be ignored if you don’t understand or don’t care.

Both methods are available by default in passacre on either python 2 or python 3.

Any sites which don’t specify their own method in the configuration file will use the global method. The global method is also used for hashing site names.


The base number of iterations to use for password generation. It is safe to leave this alone if you don’t know what to do with it.

One iteration corresponds with adding another 1024 null bytes to the input to be hashed. The default is 1000, though it can be comfortably be set higher. As Skein/Threefish is a bit faster than Keccak as a pseudo-random number generator, this value should probably be set higher if skein is selected as the default method.


A path to a file containing words, with one word per line. This is used for generating passwords using the special word name in the schema. By default, there is no words-file and generating passwords containing words will fail.


Either true, false, or 'always'. When looking up a site’s configuration information, this controls whether or not passacre should try to find an entry for the site name or instead hash the site name and find an entry for the resultant hash.

true means that passacre will first try looking for configuration information on the unhashed site name, then try on the hashed site name. If no entry is found for either, passacre will use the default configuration. false means that passacre will never try to use the hashed site name. 'always' means that passacre will only try to use the hashed site name and never try looking up an unhashed site name.

Additionally, 'always' is respected by passacre site and passacre config when adding, removing, or modifying site configurations; passacre will act as if the --hashed flag is always passed.


The method to use for hashing site names. Defaults to the same value as method and has the same semantics. Safe to disregard if you either don’t understand or don’t care.


The number of iterations to use when hashing the site name. Defaults to the same value as iterations and has the same semantics.

Site options

All of these options are set under keys corresponding to the site name in the root sites mapping in the YAML config or with passacre config for sqlite.


The method to use for hashing passwords for this site. Defaults to the same value as method and has the same semantics.


The number of iterations to use when hashing passwords for this site. Defaults to the same value as iterations and has the same semantics.


A value which will be added to iterations in order to find the number of iterations used for hashing the password for a site. Defaults to 0. This can be incremented to generate new passwords for the same site and master passphrase combination without modifying the global iterations.


The schema used to generate passwords for this site. Required; there is no default. This is set with passacre schema for sqlite. See the section on password schemata for details of its format.


The configuration slot used for YubiKey two-factor password generation. The specified slot must be configured for HMAC challenge/response. Generating a password for a site will then issue a challenge of the UUID dd34b62f-9ed5-597e-85a2-c15d48ed6832 and prepend the response to the input password being used for generation.


Passacre uses a small superset of JSON for specifying configuration on the command line. Syntax is mostly the same, but with the following changes:

  1. Strings don’t require quotes for strings composed of just alphanumeric characters, hyphens, and underscores. This works for both object keys and string values. For example, {foo-bar: baz} is the same as {"foo-bar": "baz"}.
  2. The braces are optional for a top-level object. For example, spam: eggs, eggs: spam is the same as {"spam": "eggs", "eggs": "spam"}. Objects beyond the top level still require braces.
  3. null can also be written as %.