If you read password managers that don’t store passwords here on Ghacks, you know already what deterministic or stateless password managers are.
Broken down to the basics, these password managers don’t store passwords or account information. So, instead of having to use local or remote storage for the password database, these programs rely on algorithms instead to generate passwords on the fly.
How that is done? Through the use of algorithms that compute passwords when the user enters a master password and other data.
Again, at the very basic level, a password would come out when you enter the master password and the domain of a site.
The main advantage is that there is no syncing or password storage involved, at least not on the basic level.
This means that you can generate your passwords on any device if you use a program, app or online service that offers such a solution without having to sync your password database.
Deterministic password manager Issues
If you look closer, or use a service for a while, you may realize that deterministic passwords have a couple of issues.
While you may still use a password manager with a deterministic approach, you should be well aware of them before you make the decision.
Master Password
If you want to change the master password, you need to change all passwords on all sites as well, as the master password is one key component that is used to generate the passwords.
So, if your master password gets hacked or leaks accidentally, then you need to go ahead and change passwords on all sites.
Changing Passwords
Basic stateless password managers don’t offer options to change individual passwords. If you need a password changed, you need to change the master password which in turn requires all other passwords to be changed as well.
More sophisticated solutions ship with options to change a variable to generate a new password for a single site.
Algorithms
The algorithm that computes the passwords cannot be changed easily. If it changes so that new passwords get generated when a user enters the master password and other information, then all passwords need to be changed as well before the system is updated to the new version.
Algorithm changes may be necessary if flaws are discovered in the implementation.
Migration to a deterministic password manager
There is no import option which means that you need to generate new passwords for any account that you want to use the deterministic password manager for.
Password rules
Most Internet sites and programs ship with password rules. Some may require a certain minimum or maximum length, others that numbers, special characters or upper case characters are included.
There is no way that deterministic password managers can take those requirements into account without interface that users may use to pick those information.
The password manager LessPass for instance displays those options on its site, while others may not offer them at all (which means they cannot generate working passwords for some services).
You do need to remember the rules that you have specified for certain sites though, or store those information locally or remotely.
The information stored contains sensitive information that may help attackers.
Remembering sites
Apart from remembering password rules — if you choose not to save the information — you need to remember the sites you have registered an account with using the password manager.
Since you need to enter the data manually each time you require the password. This may not be a problem if you use it for a handful of sites, but it is easy enough to forget about one or the other site, or which site URL you used.
Now You: Do you use a password manager? If so, which and why?