Cons of using a Stateless password manager
They are password managers that generate password based on certain values. For example, they will generate password using your email, website / app name and a secret phrase. The idea being that you will only need to remember a single secret phrase and the passwords need not to be stored anywhere.
When I was starting to use a password manager I tried a few of them. These Stateless password managers are really not that much usable. Here is why
1. All passwords are linked
All the passwords in the password manager are linked to the master password or secret. This causes a lot of problems including
- A Stateless password manager will require you to change passwords for all your existing sites. This is very important if you want to store passwords for any account where you are not authorized to change the password. This can be a shared office mailbox, server password, etc…
- Changing the master password will require you to change the passwords for all sites.
2. Deterministic password generators cannot accommodate varying password policies.
Some sites will need mandatory symbols with passwords but some sites do not allow symbols in passwords. Some websites like Payback support only numeric PIN. Users either need to tweak the generated password or change settings. In either case, they need to keep the tweak or settings in memory which is not good.
This will also become the case if a website forces you to change password. Consider a website which requires changing password every 90 days. You will name the website like website, website1, website2, etc… in order to avoid changing the password for all sites. Now you will have to remember which number you are on.
3. Password managers provide additional options
A key difference between using a stateless password manager and a password manager is that password managers can store additional data such as
- Security Questions
- Credit/Debit card numbers
- Id card numbers
- Cryptographic keys
- WiFi passwords
- API keys, etc…