Deterministic password manager Issues
If you read password managers that don't store passwords here on Ghacks, you know already what deterministic or stateless password managers are.
Broken down to the basics, these password managers don't store passwords or account information. So, instead of having to use local or remote storage for the password database, these programs rely on algorithms instead to generate passwords on the fly.
How that is done? Through the use of algorithms that compute passwords when the user enters a master password and other data.
Again, at the very basic level, a password would come out when you enter the master password and the domain of a site.
The main advantage is that there is no syncing or password storage involved, at least not on the basic level.
This means that you can generate your passwords on any device if you use a program, app or online service that offers such a solution without having to sync your password database.
Deterministic password manager Issues
If you look closer, or use a service for a while, you may realize that deterministic passwords have a couple of issues.
While you may still use a password manager with a deterministic approach, you should be well aware of them before you make the decision.
If you want to change the master password, you need to change all passwords on all sites as well, as the master password is one key component that is used to generate the passwords.
So, if your master password gets hacked or leaks accidentally, then you need to go ahead and change passwords on all sites.
Basic stateless password managers don't offer options to change individual passwords. If you need a password changed, you need to change the master password which in turn requires all other passwords to be changed as well.
More sophisticated solutions ship with options to change a variable to generate a new password for a single site.
The algorithm that computes the passwords cannot be changed easily. If it changes so that new passwords get generated when a user enters the master password and other information, then all passwords need to be changed as well before the system is updated to the new version.
Algorithm changes may be necessary if flaws are discovered in the implementation.
Migration to a deterministic password manager
There is no import option which means that you need to generate new passwords for any account that you want to use the deterministic password manager for.
Most Internet sites and programs ship with password rules. Some may require a certain minimum or maximum length, others that numbers, special characters or upper case characters are included.
There is no way that deterministic password managers can take those requirements into account without interface that users may use to pick those information.
The password manager LessPass for instance displays those options on its site, while others may not offer them at all (which means they cannot generate working passwords for some services).
You do need to remember the rules that you have specified for certain sites though, or store those information locally or remotely.
The information stored contains sensitive information that may help attackers.
Apart from remembering password rules -- if you choose not to save the information -- you need to remember the sites you have registered an account with using the password manager.
Since you need to enter the data manually each time you require the password. This may not be a problem if you use it for a handful of sites, but it is easy enough to forget about one or the other site, or which site URL you used.
Now You: Do you use a password manager? If so, which and why?
Keepass. I’ve been using it for a decade or so now. It’s offline, it’s secure, multi-platform,it has an excellent help file, and it can work with browsers using extensions. Plus it has survived intense scrutiny by being the most popular free, offline password manager.
For password generation, I use PWGen for Windows.
Ditto. KeePass – for the same reasons.
I have PWGen too, but I don’t know if its algorithm to produce random passwords is superior to KeePass’s own built-in generator.
I can’t say if Keepass has superior password generation. I use PWGen because I want to diversify my passwords. For some sites, I use pronounceable passwords (easy to remember), for some sites I use 5 word passphrases (diceware-like functionality, even easier to remember), for some sites I use totally random alphanumeric passwords. PWGen does those quite well.
Martin you’re a better writer than most americans you do not need “go ahead and” . Also I did not know that opera ships anything. Yes I know semantics. Just a friend with some advice. Cheers.
Thanks for the thoughtfull analysis!
Used to use PasswordMaker, but it hasn’t been updated in… 6 years, now.
Wladimir Palant’s “Easy Passwords” does a very good job, and handles most of the issues listed, other than needing to change all passwords if the master password needs to be reset (which is probably not a solvable issue, though I could see wanting to import prior passwords as legacy passwords rather than trashing them altogether, at least til you finish changing them).
You can change individual passwords, or have multiple passwords for the same site/username, as well as share passwords across multiple sites (eg: same password on sitename.com as forums.sitename.com). It also has the option to save legacy passwords, as well as notes per site that get encrypted.
On the other hand, I still don’t use it much since I moved from PasswordMaker to KeePass when PasswordMaker stopped really working very well, and Easy Passwords is a relatively recent addon.