I've been using masterpassword [1] which is stateless and requires no sync. I wonder what the HN crowd thinks of its features. Another option with the same paradigm is lesspass [2].
The general consensus of security experts seems to be that they're a bad idea.
I think my setup using `password-store` works great, and arguably is more secure since I rotate my passwords regularly as well.
The main reason I argue my system is more secure is that it has a physical gpg yubikey token to decrypt my password database.
In the 'deterministic password managers', there's no easy way to require that you have physical access to my yubikey in order to decrypt the passwords. You could keylog the master phrase in the case of deterministic ones and have a persistent pwn... heck, just typing the master password into a public slack by accident pwns most deterministic password managers (as pointed out in the above article)
On the other hand, even if someone keylogs my yubikey's user pin, well, they still need to either have the yubikey or to trick me into unlocking the yubikey again for their malicious attacking software. If I accidentally type my user pin into slack, I really don't have to worry all that much.
My yubikey is state. A stateless password manager cannot rely on it to secure the actual passwords or else it is no longer stateless.
If the yubikey is only used to secure the master passphrase that derives the other deterministic passwords, then relatively little has been gained because the actual derivation of the passwords happens separately and the original concerns are still largely present.
Even if the master password is secured with a yubikey, many of the other flaws are still present, and if you need a yubikey to access your passwords anyway, you might as well encrypt the passwords directly rather than going through this awkward extra step that reduces security.
In my system, you have a number of additional pieces of information that are used to generate the password, including a counter and a salt. If you need to change your password, you would typically just increment the counter. You can also do this if the password policies don't allow your password for some reason.
This does mean that you need to remember what the version is. Fortunately this information doesn't need to be kept secret. I also have a system that generates emojis based on your settings, so as long as you remember the emoji that goes with the site, you can just increment it until you get the right one, so it's down to you whether you store the version number somewhere or remember the emoji.
I use URLs by default, but you can enter anything you want into the 'purpose' field. It's still pretty raw, but it's at https://github.com/kybernetikos/sinkless
Most of the complaints people have about deterministic systems don't really hold up in practice for me. Protecting them by 2fa would be better of course, which deterministic can't do and lots of the good password managers do, but I really dislike having to worry about syncing state beyond just emailing it to myself.
One thing that would be awesome would be if someone came up with a standard machine readable way of describing the limitations on passwords for sites (allowable characters, number of characters, any restrictions on previous values / sequences etc), and all good sites could embed that information, and poor sites could be looked up in a third-party service.
The general consensus of security experts seems to be that they're a bad idea.
I think my setup using `password-store` works great, and arguably is more secure since I rotate my passwords regularly as well.
The main reason I argue my system is more secure is that it has a physical gpg yubikey token to decrypt my password database.
In the 'deterministic password managers', there's no easy way to require that you have physical access to my yubikey in order to decrypt the passwords. You could keylog the master phrase in the case of deterministic ones and have a persistent pwn... heck, just typing the master password into a public slack by accident pwns most deterministic password managers (as pointed out in the above article)
On the other hand, even if someone keylogs my yubikey's user pin, well, they still need to either have the yubikey or to trick me into unlocking the yubikey again for their malicious attacking software. If I accidentally type my user pin into slack, I really don't have to worry all that much.