As much as I want to like stateless password managers, I don’t think they will ever work in the wild. Inevitably you will come across a site with stupid password restrictions that will reject your generated password.
I don’t want to let the perfect get in the way of the good. We can get 95% of the way there if the generated passwords have one lowercase, one uppercase, one symbol and are 16 characters or less. A crowdsourced spreadsheet of the password ‘rules’ for popular sites would let us do an even better job.
One change I’ve been contemplating is to always append a ‘bang’ at the end of the password to accommodate the ‘one symbol’ rule.
Couldn’t you store site-specific restrictions for sites that have them without storing the generated passwords themselves? I know that at least some password managers let you specify restrictions to which generated passwords should conform.
This is a cool idea. My problem is that sometimes I need to type a password into my phone, and a long string of random characters sucks to type on a phone keyboard. So I wrote a couple scripts to generate more typeable passwords, that I then store using pass. It was a fun exercise.
Another similar option, https://github.com/nmeum/tpm.
The phone thing is tricky; maybe it’s a good use for a smart watch. I enter my master password+tag on the phone, the tag specific password pops up on the watch, now I navigate to the service on my phone and enter the password.
I like the https://pypi.python.org/pypi/diceware as a simple alternative