1. 12
  1.  

  2. 3

    While it’s true that deterministic password managers realistically need some state, there’s an important distinction in that with a deterministic password manager, the state isn’t at all sensitive. I would feel totally comfortable storing the character restrictions and rotation state for each service in a publicly accessible place, but storing my encrypted paswords publicly would just give me the heebidie-jeebidies. I know, I know this is fine in principle with good encryption but it still feels scary.

    The last point is a totally legitimate criticism that gives me some anxiety as a user of such tools. It helps to remind myself that previously I largely just used the same password everywhere, and what I have now is certainly a lot better than that :)

    1. 1

      With deterministic manager, anyone can pretend to be you by stealing your master password.

      With a vault based manager, they need to steal your password, and your vault data.

      So by putting your encrypted passwords publicly, all you have done is reduced your vault based manager to a deterministic manager, by making the state no longer a secret.