[remark] Debating deterministic passwords

by Ciprian Dorin Craciun (https://volution.ro/ciprian) on 

A few words of caution about storage-free deterministic password managers.

// permanent-link // Lobsters // HackerNews // index // RSS


Please don't construe my words as either in support or dismissal of either classical password managers or deterministic ones. I haven't thoroughly looked at the problem from many (let alone all) angles, thus I might be missing a lot (both good or bad). To draw any conclusions, one should employ independent research.

Finally, keep in mind the following guidelines:

Deterministic password managers

All password managers rely on a user supplied "master password" to protect the user's credentials (mostly other passwords for various sites and applications). (Although nothing could stop a password manager to use something like a hardware token or any other such hardware devices.)

Classical password managers generate the credential passwords randomly, without any relation to the master password or any other contextual information. (Then these credential passwords are encrypted with the master password, using various cryptographic approaches that are sometimes better, or sadly, sometimes worse...)

However, there is another class of password managers, which I call deterministic password managers, ones that deterministically generate the credential passwords based on the master password and other various contextual information, like for example the site domain or application name, the username, the number of times a password was changed, etc.

In what follows, I'll focus on these deterministic password managers, especially as compared to classical ones.


Deterministic password managers have a few strengths (as opposed to classical password managers); for example:


However, as with all things, there are downsides too:

Other opinions