Is it safe to store (encrypted) passwords on GitHub?
Terse answer
It's ok to put a pass repo github.
Verbose Answer
Your pass repo is GPG encrypted using whatever private key you've selected, so it's as bullet proof as the key you've chosen. Furthermore, your private key is not stored in your pass repo. This means that the private vs. public location of your encrypted password files is not the weak link in your password manager's security. Rather, it's the private key that you've encrypted them with that you have to worry about.
Make sure it's a good key (like the one you've mentioned) and don't expose it to anyone because they won't have to crack that big ol' key to use it. They'll just have to bork your password, and, let's face it, it's really tough to be certain your password is good enough to stop everyone.
So don't let anyone else see your key. If you move your private key to each of your computers that use pass, then you can just pull your pass repo from github and use the private key stored on those computers individually. Now they'll all stay synced and safe.
Two More Things To Consider
The whole point of pass is to keep your passwords encrypted. If you're not ok with them being on github.com, then what you're really relying on is their private location and not their encrypted state. If that's the case, then why encrypt them at all? You could just use the same flat files that pass uses, and not bother encrypting them. That'd be pretty convenient!
Also, keep in mind that making your password manager easier to use means you're less likely to want/need to subvert it. Any time you have to do pass's job for it (e.g. resetting a password on an account because the nice secure one was generated on a different computer and you haven't manually synced yet, but you have to get in right now) you're gonna reduce the security it provides.
This will be safe, but exposes you to additional risks compared to not putting your password store in a public place.
- Accidental upload of unencrypted passwords (you won't do that on purpose, but sure it might not happen by accident, or because of some software bug?)
- Unknown weaknesses in RSA or the symmetric encryption in use
- Usage patterns revealed (statistics is powerful)
- Accidental release of your access token results in public data; if you'd additionally kept that private, you're much safer
- Worst case is your whole password store history is revealed, compared to only the current one
With other words: if you do not do mistakes, trust the software and the math behind the encryption algorithm stays secure publicly storing the encrypted password store is fine. If you have doubt in any of those (and personally, my trust would be in exactly this order, with lost trust in myself as a user with high confidentiality in the math behind), keep the store private.
Ever posted a private passphrase in some chat window by accident that popped up? I know a bunch of people that did, including myself.
This is a good question, since it has been a problem in the past where someone put a private password in a public repository.
Think of it this way, it's good practice to not store that file (along with any other sensitive files) in a public repository, even if it's private. It is good to back it up somewhere, but if lets say your password was retrieved somehow (third party site for example), they could access your github and still retrieve the password. Worst case, but it is still possible. I would usually suggest having some kind of file stored on an external hard drive, and possibly store the hard drive somewhere in-case there's a fire.
If you really want to use a repository or cloud to store it, just do everything you can to keep it safe.
Overall it's not the best idea. It's not the worst, but it's best to think of the "what would happen if?" scenarios. It may never happen to you, but if it did, is it worth the trouble?
Edit: I was thinking of programs in some of my post, so i trimmed it up for you to answer your question better.