What are the cons of stateless password generators?

I have used a stateless password generator for years, and I think there are a lot of drawbacks:

  • If your master password is compromised, all of your passwords are. In comparison, standard password managers requires that the attacker both compromise the master key and gain access to the password store.
  • If a website has a password policy, you might not be able to generate a password that respects it.
  • If one of the password needs to be updated for some reason, you need to keep that state somewhere. For example, you need to remember to generate a password for "StackExchange2" instead of "StackExchange".
  • If you already have some passwords that you can't change (for various reasons), a static password generator won't help you.

For all those reasons, I think you should definitively use standard password managers.

Here are two less often mentioned problems.

  • Determining the website is hard. You want to use a different password for a.github.io and b.github.io, but you want the same password for microsoft.com and live.com, or wikipedia.org and wikimedia.org.
  • Changing anything breaks passwords. Once you've released your password manager and people start using it, you can't change anything about it, or users can't log in anymore. The way domains are handled must remain the same, even though domains change ownership. The way passwords are hashed must remain the same, even when a vulnerability is discovered in the algorithm.

See also my blog post about this.

1. Password managers provide additional options

A key difference between using a stateless password manager and a password manager is that password managers can store additional data such as

  • Security Questions
  • Credit/Debit card numbers
  • Id card numbers
  • Cryptographic keys
  • WiFi passwords
  • API keys, etc...

2. Existing passwords cannot be accommodated

Password managers can accommodate existing passwords. But a Stateless password manager will force you to change passwords for all your existing sites.

This is very important if you want to store passwords for any account where you are not authorized to change the password. This can be a shared office mailbox, server password, etc...

3. Deterministic password generators cannot accommodate varying password policies.

Some sites will need mandatory symbols with passwords but some sites do not allow symbols in passwords. Some websites like Payback support only numeric PIN.

Users either need to tweak the generated password or change settings. In either case, they need to keep the tweak or settings in memory which is not good.