246 comments

[ 2.7 ms ] story [ 277 ms ] thread
I don't know what these are used for, but secret keys generated from current time are easy to guess. You only have to try around 2^24 values if you can estimate installation time within a specific year.

https://github.com/lesspass/lesspass/blob/master/lesspass.sh...

I always wondered why people resorted to `date(1)` when there's `random(4)`:

    $ xxd -l 20 -p /dev/random
    669d8372d63897e37776d05dc8acccbacf26befc
Not-so-good good idea?

Given that you already have dozens of site with their own passwords, you just can't import your passwords, but you need to change all of them to start using lesspass first.

Also, if the way the generation of passwords works changes later (i.e. bug), then the users are stuck with a version, or the bug is never fixed, ever.

You could just put the Algorithm or the version into the configuration. That would at least allow a gradual migration.
You are right. I made me similar tool. It just made MD5 out of mater password and service name.

You suddenly realize how many services have special rules you can't fit in. So for each service, I had to remember master password, which "url" i used (gmail.com or mail.google.com?) and which restrictions apply. Usually they did not allow me so long password. Sometimes I was limited to 16, sometimes 12 chars.

After big password leak (heartbleed), I had to setup second master password for all affected service.

So, no. No more sync-less state-less password managers for me.

Isn't that what the hosted profile is for?
There are a lot of reasonable complaints in the comments, but "you need to change your passwords when changing to this service" is actually not one. You want to do that anyway from time to time, and when you are using a new password manager is actually a great time.
It's also really shocking to see just how many accounts the average person amasses. My KWallet had some 250 entries at peak times.
If you want to change your passwords from time to time, as you say, then this system isn't going to suit you, because it only ever generates one password for each site.
You could change your master password from time to time and you chould increase the counter (which changes your password) for a given site from time to time.
What happens when the method of creating passwords needs updating, do I then need to visit countless numbers of sites to change the password?

I like the idea don't get me wrong, I just can't see all of the downsides right now which will stop me using it.

Elephant in the room: Are you going to be sued by lastpass for the name?

We are not a danger to LastPass. We'll see in time if it happens. The idea came after using KeePass -> I want to keep less passwords -> lesspass -> lesspass.com is available -> done
I wouldn't use a password manager system that doesn't have the ability to change the master password.

EDIT: You can't change any password really, without changing all of them (or having a separate master password). Seems unpractical as soon as, for example, site X gets its database hacked.

That is either by using the "connected version" or loosing the multi devices ability. BTW shouldn't the "connected version" be the one detailed on the home page? Sure sounds more attractive to me.
Or you have to remember the counter. Since most people just append a counter to their password for those sites that force them to change regularly, it's not really that different. :)
(comment deleted)
Others have expressed most of them, but issues I see with this is:

* Algorithm can't be changed/improved without changing all your passwords.

* Your master password can't be changed without changing all your passwords.

* You have to remember yourself at what sites you are already registered, and in case of critical bug, you would perhaps need to change password at some services (again remembering which ones they were).

With that said, I really like the outside-of-the-box thinking on this.

I have written a similar Password manager as an UWP for Windows [0]. It didn't get much attention since i never tried to get some.

I could not agree more with the points you mentioned. To solve the last one I added the option to create an encrypted list for the sites. But so you end with an additional password you need to remember because using the same as for the masterkey makes this the only key to access every password. And this is what the system tries to avoid.

[0] https://github.com/AndHell/CreatePass

Also, some sites (generally banks) change their login URLs and domains from time to time. With a 'traditional' password manager, I can map it to the old login details with a few clicks. With a stateless system, you're out of luck.
Very good point!
Also, some sites use a unified login which is shared between multiple sites owned by the same company. For example, StackOverflow uses an account which is shared across all the various StackExchange-type sites, and Gamepedia requires you to sign in with your "Curse Community Account". (I'm sure there are more examples; those are just the ones off the top of my head.)
Well, you are not forced to use a specificic url or your real login details to generate the password. You could do it with "My Personal Bank Account"+"My alias (not the same as my login)"+MASTER_PASSWORD. It's the same with SSO. You can use "Google Private" or "Google Public" and any login you want to generate a password for your google accounts, without using a real URL nor your real credentials.
Also, most people need help sooner or later, and they can't call IT for help with a system like this. Either they remember all the needed information or they don't.

As a work flow nit-pick, what if the password requirements change? You need to remember the original settings to generate your password, but if the site now says "must include numbers" when it didn't before...

It's important to change your passwords at regular intervals, even if you use a secure one.

If you compare this to two factor authentication it's the same amount of extra work, but without the benefits.

You should also avoid copying passwords to the clipboard as many applications and even web sites might have access to it.

Too bad client certifications are deprecated, now when SSL/TSL is becoming more and more popular. Only downside with client certificates is that you have to copy the key (witch can be password protected) to all your devices. Another downside was that the site required SSL/TSL, but almost every site have that now!

There's also some privacy and UX concerns with client certs. See http://www.browserauth.net/tls-client-authentication

Personally I'd love to see UAF or SQRL take off. Lots of potential there.

most browsers will auto select the right cert. But for browsers that dont support the keygen tag you have to create the cert including priv key and pw. you can of course create many certs for different users, you can of course also sign them yourself, no ca is needed besides for the ssl server cert. most of the points on that site is moot besides poor support on some browsers.
For reference, I am the author of Easy Passwords extension which uses a very similar concept.

These issues are definitely solvable, at least if you use a hybrid concept: while most passwords are generated, some can be encrypted and stored (encryption key derived from the master password). Easy Passwords has this functionality and LessPass appears to be working on it as well. Then changing algorithm or master password can be done by converting all existing generated passwords into stored password. This isn't a great solution of course and so far I haven't seen the need to implement this escape hatch but it can be done if absolutely necessary.

As to remembering the websites where you registered - that should definitely be the job of the extension (not storing passwords doesn't mean that you cannot store metadata). And many password generators support a revision counter for passwords, you increase it when you need a new password.

This one isn't bad either https://keeweb.info/
This looks really nice as well, is there a catch? Why would I pay for eg LastPass?
This is another GUI on top of KeePass' protocol, it's not a completely different password manager. Open source, built on top of Electron (IIRC), and there is no cost of using it.
Lastpass is free now for mobile devices! If that is what you were willing to pay for!

It syncs seamlessly across all desktop browsers, iOS and Android devices without any issues.

> PBKDF2 with 8192 iterations

Not nearly good enough.

Very cool project!

One thing though, LessPass sets HSTS headers, but should include the `includeSubDomains` directive and the `preload` directive to stop a first time MITM (for example, when you get a new phone). Once these are done, LessPass should be added to various browser preload lists.

What happens if a site requires you to change passwords regularly and keeps a history of the passwords you've used? Wouldn't you be locked on a single password for each site (or a very limited number of options to force the app to change it)
I guess you can increment the password length by one each time. Though you have to keep track of the last used length.
For brain dead sites with rules like "min 6 chars, max 8, mandatory change every 60 days", that won't take you very far.
So you're changing remembering 1 password for each site, for remembering a bunch of option configurations for each site.

Doesn't look like a win situation for me.

From the FAQ:

How do I change a password without changing my master password?

That’s the purpose of the counter field in the options field set, increment it and you will get a new password.

(comment deleted)
When I find stuff like this that uses SHA256, I instantly just tune out. SHA256 is stupid. Use SHA512 or find another line of work. SHA512 is astronomically more secure. Anyone who is using anything less than SHA512 for hashing is an idiot.
I think my passwords are far less interesting for an attacker than the Bitcoin block chain. And it's integrity is based upon sha256.
We had this conversation when it was md5 vs sha2 and concluded sha2 was good enough. What changed?
Anything to back this up? Why is SHA-256 stupid? I’d use truncated SHA-512 for speed on large inputs, maybe, but the extra 256 bits don’t usually add much in terms of security…
SHA512 is astronomically more secure how exactly? Under which scenarios?

Just so you know: SHA1 is problematic because of potential collision attacks. So you should definitely not use SHA1 for signing anything because it might be possible to construct a different document with the same signature. That's it.

What does it have to do with password derivation? Nothing at all. Collision attacks are irrelevant, what matters is computational complexity. So if you use PBKDF2-HMAC-SHA1 the only thing that would make your solution less secure is some shortcut allowing to compute a SHA1 hash radically faster without throwing faster hardware at it. And so far nobody found one.

Since you seem to like name calling, what do you call somebody making authoritative statements on matters they don't understand?

For reference, I am the author of Easy Passwords extension which uses a concept similar to LessPass. And it also uses SHA1 - for technical reasons.

I've used PasswordMaker in the past which uses the same concept but recently moved away from it. Changing passwords is a pain as you now have to remember special parameters for certain pages. Even worse, in case of a compromise of your master password, you're toast. The same is true when losing your password manager database + credentials, but at least you will have a list of all your compromised records which you would have to keep separate in this case.

I've moved to KeeWeb since then + CPK for Chrome and Keepass2Android on my phone and couldn't be happier.

I am surprised Stanford PwdHash [0] has not been mentioned yet as an alternative, which has extensions for Chrome, Fx, Safari, Android, iOS, Terminal and other software.

[0] https://pwdhash.com/

While the idea sounds alright (and I've seen similar ideas done before), there are a few problems with this system that make me quite cautious about trying it:

* In order to handle different password complexities, regeneration of passwords and similar setting, you have to use a "connected" version (read: you have to store the configuration). In addition, the configuration they have includes potentially sensitive information (password length, number of times password was changed, list of websites I use, my username on the site). And currently those profiles are unencrypted. So you in order for it to be useful it's no longer sync-less. As an aside, my bank (foolishly) uses my generated username as a "privileged" piece of information -- which means that I literally could not use this manager for my bank.

* You can't change your master password without updating all of your site passwords. This also means you can't import your old passwords without just changing them all. IMO this makes LessPass not a password "manager". It's a password generator.

* Also, the profile doesn't appear to contain any configuration details for the PBKDF, which seems like a bad idea (it means that they can never practically update the PBKDF without introducing backwards compatibility in the profile settings). Also not sure why they're using SHA when there are better password hashing algorithms.

* Aliases are impossible to implement (without adding more information to the profile), which just makes this impossible to use with SSO systems (I'm not going to remember which of the 5 different hostnames I used to generate a password I use once a year).

I've got to admit that I kinda like the symbols shown next to your password to make sure you're using the right master password, but there doesn't seem to be any description how that's generated. My guess is that it's similar to SSH keyart (which then brings up the question how often will collisions happen with only X^3 options, and can you have two passwords result in different orderings of the same tokens).

Overall, seems like an okay idea. But I would prefer if someone just offered a nice way to host your KeePass databases (or rather if there was an app that did it). You could probably do it with git and push to GitLab or something, but that is just ugly to do manually.

The login you use with lesspass doesn't need to match your actual login on a web site. In fact, nothing needs to match anything real. You could use any url or alias for the service you want to access ie "Google" and you can use your real login or any other text, it doesn't matter as far as you remember it (You could use 'me' for every site, I don't know why this field is required)
Okay, but now I have to remember 3x as many things as with a managed password manager. And how do I handle having multiple accounts on the same website?

"You can put whatever you want in field X" is not a solution to the problem IMO.

> how do I handle having multiple accounts on the same website?

You use the url of the site and your different logins to generate different passwords. What's so difficult about it.

Anyway, I don't think there is a problem at all.

Imagine this: I have 3 google accounts, which I use mainly for my gmail, another one for google play on my android and another one for my kids (google play, youtube). I could use the following setup: Gmail + me + masterpassword for the first one, Google Play + me + masterpassword for the second one, and Google Kids + kids + masterpassword. Another configuration could be: google + mail + pass, google + play + pass and google + kids + password. I actually would use my real login, since my accounts are already like this: username.mail@gmail.com, username.play@gmail.com, username.kids@gmail.com.

First there is nothing new to remember here, I already rememeber that I have 3 different accounts and what they are for. Second, it doesn't matter how many accounts you have on a site or how many sites you can access with the same account. You can use the url of a site and a different login for several accounts. You can use a description/purpose of your accounts and the same or different logins for several accounts on SSO services.

As I said, I don't see the problem.

> You use the url of the site and your different logins to generate different passwords. What's so difficult about it.

Your suggested solution of "not using your actual login" requires me to remember something that is not related to my login. This means that for multiple different accounts I need to remember twice as many things. Which makes it impractical (they can't be linked to my account or else my profiles will reveal the information).

> Imagine this: I have 3 google accounts, ...

I have ~8 different gmail accounts, all of which are used for emails. Yes, they're for different purposes but your scheme won't help differentiate them without also giving away my logins.

How do you deal with sites whose password requirements don't match the output of LessPass? How do you handle the fact that sites want you to change your password? Yes. There's a counter field, but how do you know what site uses what version of the counter? How do you change the master password without having to change all passwords?

Thing is: There's a solution for all these problems: All you have to do is actually generating a random password and store that (in-fact, that's the solution proposed by LessPass to use for these special cases. But if you have storage for the special cases, why not just store the passwords to begin with?)

You don't want to sync it because you don't trust the client-side encryption used in all the managers out there? Use a piece of paper to write the passwords down. Or use a device you constantly carry with you as your password store.

While there are tons of workarounds for the issues of stateful password managers, there are none for the stateless ones (aside of storing the state somewhere, but if you're doing that, why not just store the password?)

I think there is where the connected version can play an important role. From my understanding it stores everything but the password, so that can keep track of password rules, counters, etc per site.

I think the biggest issue still is what happens when you change your master password? Because I couldn't find an answer for that.

>aside of storing the state somewhere, but if you're doing that, why not just store the password?

Because even if the state information is compromised, it is useless to the attacker. On the other hand, if a password is leaked that can be used to access the account.

State for password managers is almost always stored encrypted, i.e. in a form useless to the attacker.
> But if you have storage for the special cases, why not just store the passwords to begin with?

1. because compromises do not give up the password

2. because storage then becomes optional, it's still usable if it's not installed on the device you're using, as long as you remember the metadata. (or keep trying different combinations until you get it, there aren't that many different combinations as long as you rarely increment a counter).

#1 is true too for an encrypted password database.

Unless of course by "compromise" you meant the master password being stolen, in which case such a compromise would result in all your passwords being stolen with both types of password managers.

The problem with writing passwords down is that I need to fly places and it's not unheard of if you work in financial tech or military tech to have your things riffled through at the boarder. Plus a mugger can say "give me your things!" or "Empty your pockets!" and now he has my credentials.

Passwords are not easy. My current solution for the long tail of things that need passwords is two factor + really strong password I generate then don't save anywhere. If I get signed out I do password reset to my gmail. Gmail is two factor (obviously) with a really strong password and recovery email to an email address nobody knows.

This is still a huge pain though.

If you used any stateful password manager instead of a piece of paper, then the passwords would be stored in an encrypted fashion. Don't give out your master password and your passwords are useless to an attacker.

If you use a paper based solution, just alter the passwords you write down using some additional information only known to you - maybe some prefix or suffix and the list would be useless for an attacker.

If you think they can force you to divulge the master password or your password scheme if you're using paper (they probably can, see https://xkcd.com/538/), then LessPass won't be of any help to you either.

> How do you deal with sites whose password requirements don't match the output of LessPass? How do you handle the fact that sites want you to change your password? Yes. There's a counter field, but how do you know what site uses what version of the counter? How do you change the master password without having to change all passwords?

While not perfect, I've addressed some of the issues in a similar password scheme of mine: https://github.com/onionjake/doh

* you can write specs for domains' specific password requirements so the generator can guarantee it is accepted * the counters you append to your password when generated are not sensitive so can be saved/synced * I have not addressed needing to change your master password, but I'd also like to point out using a password hashing scheme doesn't preclude you from having more than one master password, perhaps to segment work passwords from personal ones. * sometimes domains change as well, so you can log the domains used it generate passwords, which might be sensitive from a Metadata standpoint, but from a hack-your-password sorta way. This also helps when I use it for passwords other than websites (like ssh key passphrases)

> Thing is: There's a solution for all these problems: All you have to do is actually generating a random password and store

I agree that generating random passwords gives a better user experience, which it is much more popular. I prefer holding all of my data even if I could store it remotely encrypted so hashing was the clear choice. I also kept the algorithm simple so that I could implement it from memory on a strange computer if needed. Definitely not for everyone!

I started using Nic Wolff's password generator[0] to solve that very problem, but I noticed that the need for connected passwords makes up a large size of the passwords that I needed to use, so I gave up on the idea of "store nothing passwords". The idea of generating always the same password for the same site is also doesn't work, because of database breaches, so in the end I created a program[1] that did all the things I needed. Check the README to know how it works.

[0] - http://angel.net/~nic/passwd.current.html

[1] - https://github.com/marceloslacerda/password_generator

Looks pretty similar to what I'm using: https://github.com/majewsky/pwget

Mine doesn't have any provisions for passwords with a specific length or charset. If someone does not like what my pwget generates, I will adjust the password manually and write down the rules in a file that is kept in a private Git repo.

It's great people are exploring this problem space, but so far nothing comes close to https://www.passwordstore.org/ which is just a wrapper around gpg and git. It has Android/iOS clients, as well as GUI clients.

On Android I use Password Store + OpenKeychain, the UX with a YubiKey is very smooth.

https://fossdroid.com/a/openkeychain.html https://fossdroid.com/a/password-store.html

I'm also a user of pass, but the fact that all the metadata is in clear is a big beef for me. How do you solve that, if at all?
Fellow pass user here.

freepass [0] seems like it could be a potential candidate, somewhere between pass and LessPass, but I haven't tried it out for myself yet.

[0]: https://github.com/myfreeweb/freepass

You could encrypt the password store folder with another gpg container. That would be your master password.
Maybe you can put the whole .pass directory inside an encfs directory.

Encryption all the way down.

You can use a hash of the site appended with a .pass wide pepper as the name of the directory storing credentials for a particular site, then use a wrapper script that hashes its input before passing it to pass.

Also full disk encryption.

This is all a lot of effort, if I went down that road I might as well skip "pass" and handle the passwords myself. What I like about pass is that there isn't much setup.

Full disk encryption also doesn't prevent a running application from seeing the directory structure. But I guess this is not a very realistic attack vector.

Yes, under that threat model you would lose with all of these password managers.
How so? If the entire directory structure is also encrypted then no program can easily know which sites or services I have passwords for.
I was meaning if your machine was compromised.
I was using this for ~4 years and really liked it, but recently I've been using 1Password. I tried 1Password as it has a family plan, that didn't really work out though (getting non-technical people to use a password manager is hard - so I'll forever keep being asked "What's the Netflix password?"), but I have stuck with it for myself.

I really like the browser integration, which there isn't anything comparable for pass. I had a bash script [0] which when run would pull the current URL from my browser, and run pass to generate or copy the password to the clipboard - but the 1Password extension is so much nicer. If I'm on a site with weird requirements I'd have to figure out the params to make pass generate a password which matched it; with the extension I just click a few buttons.

I've also got hooked on the iOS app. I didn't know there was one for pass, but it looks rather basic compared to 1Password [1]. 1Password also supports TOTP, so you don't need a seperate app for that - although for security you probably should.

Maybe one day I'll get around to writing my own extension and app for pass, but for now paying $60/year is worth it for me. I don't pay for many apps/services, but this I find really worth it.

[0] https://github.com/lucaspiller/passosx

[1] https://github.com/davidjb/pass-ios

>I really like the browser integration, which there isn't anything comparable for pass.

people keep saying stuff like this (the one i use because x feature has no real competitor)

lastpass. i've used most password managers out there and lastpass hits all these points and more

After lastpass was bought out, I went on a spree to find a different password manager and in that process, I tried almost all of them (free & paid). Nothing came close to Lastpass so I decided to stick with them until they mess up.

If the worst comes to worst, I'll probably move to Dashlane (which is significantly more expensive & a bit more work to use - extensions won't work without a desktop app)

Why were Lastpass and Dashlane better than 1Password for you?

I've used 1P for a few years without looking at the competition, so curious to hear what they can do.

I did try 1Password, and while it was pretty good, it was never "great". By that I mean,

1. It required a desktop app to be installed to use the clients (while this is an issue with Dashlane, the 1Password windows desktop client is just weird - looks outdated, crashes etc.)

2. The 1Password Android app seemed to not have in-app password fill in (which both Dashlane & Lastpass had). While it's not too much of an inconvenience, I feel like 1Password is great if you are in the apple ecosystem.

This is not to say 1Password is "bad" by any means...I loved it's dropbox sync feature for example and it's integration with Alfred on Mac was awesome!

I've tried all of them and Dashlane is by far my favorite and only one I was able to stick to using. Worth the money IMO.
Pass doesn't have a sane iOS app. The only app available for Pass requires a jailbreak and doesn't function on phones without Cydia, GPG, and an SSH daemon running.
As an android user, I've tried 1password and it's pretty much the worst password experience on the platform. The Android client can't generate passwords, and it also can't cache my passphrase for any amount of time if I'm using the 1password keyboard (which is, as far as I can tell, the only way to make 1password fill a field.) After typing my fairly long passphrase 10x a day on the fiddly 1password keyboard with no feedback for the past few weeks, I'm switching to pass.

I understand that 1password on iOS doesn't interact as a third party keyboard, and 1password is an iOS/mac app first and foremost, but that's no excuse for making their Android UX so incredibly frustrating.

> If I'm on a site with weird requirements I'd have to figure out the params to make pass generate a password which matched it; with the extension I just click a few buttons.

How does this work? I don't suppose there's a micro format for password requirements? Does 1password just have a database of password formats for popular websites?

>> 1Password also supports TOTP, so you don't need a seperate app for that - although for security you probably should.

It goes way beyond "probably should" regarding security. You're giving a single company not only potential access to your usernames and passwords, but also your last line of defense - TOTP generation. That combination of apps put everything in reach of one company to fuck you over.

Using a password manager that is being coded and maintained by a random everyday software company should be the only concern anyone has over even considering using such an app. That one company has the ability - whether intentionally or via being hacked - to release an update to any of their client apps that sends your entire database, decrypted to plaintext, to any server in the world.

Can you think of any scenario where someone slips in a 2-line commit to one of their client apps that sends your decrypted database to any server of their choice? We're talking about one disgruntled employee who decides they would like access to millions of users' most sensitive credentials. Or perhaps a single firewall opening or social engineering attack away.

It blows my mind that anyone would put this much trust in any for-profit password manager. Every month we hear about yet another major hack against software companies. One day soon, such a hack will happen to 1Password or LastPass, and the majority of their customers are going to have their entire lives (logins to bank accounts, government portals, etc.) exposed.

Such an eventuality cannot be defended against. It will start and end in less than 48 hours thanks to auto-updating applications, and will affect millions.

I've been using passff[0] with a lot of success for an in-browser pass client with filling support and so on. Works really well.

My understanding is that Chrome makes it difficult to have this kind of thing due to it's sandbox. There was some talk of exposing pass over the network locally so there were no sandbox concerns.

[0] https://github.com/nwallace/passff

I have lost 4 hardware tokens already. :(
Not to shamelessly self promote, but if you like pass but hate GPG, then I already built you a command line password manager that is almost exactly the same as pass

It can securely save files, generate passwords, save passwords and optionally can sync using git.

https://github.com/ejcx/passgo

As someone with basically no experience with encryption, why would someone hate GPG?
GPG is well known to have a very clunky interface. It also is based on very old crypto (we know it works against the NSA, but we also know that it has problems that other crypto doesn't).
Eh, the UX doesn't look great compared to my current solution (KeePass). No browser integration or auto-type, no InputStick support on mobile, etc.

YubiKey support looks pretty nice though; I'm not sure there's an easy way to do what with KeePass.

Does it officially support every major browser on my desktop and phone? Anything that doesn't is still less useful to be than LastPass.
I don't think it supports any browsers via plugin. You use a separate app to unlock your keychain, it places the relevant password on your clipboard and then it clears the clipboard 30s later. Very simple and therefore avoids a whole bunch of vulnerabilities other password managers (like LastPass) introduce by integrating with browser plugins.
Sounds a lot more complicated than automatically logging me in without need for any action on my part like LastPass
A gentle critique: don't use "How it works?" since that is not proper English. "How does it work?" is better.
"How it works" without the question mark is fine, too. The site actually uses "How it works ?" which is a dead giveaway that the author is French.

As an ESL speaker myself, I wouldn't nitpick about grammar, though. The language on the site is very good in general, and learning second languages is very difficult. Je sais je ne peux ecriver francais bien. Right?

I guess my comma use is also a dead giveaway of my first language...
Yes, I should have added that "How it works" sans question mark is proper as well.
How is this different from having one password for all sites? If I break the master password I gain access to everything.
If the database of a site gets stolen it makes it a little harder to break your master password.
If you use one password for all sites:

* if password hashes from any site you use leak and they’re weak, you’re compromised everywhere

* if any site is or becomes malicious and its operators/hackers read your password, you’re compromised everywhere

This approach (maybe not implementation – its hashing is kind of weak) is fine if your master password is strong enough, which it should be.

A more developed and mature implementation of a stateless password manager is http://masterpasswordapp.com
Out of interest, do you actually use this? I saw it recommended on HN before and tried it. I found it has one of the most awful UIs I've ever seen. I found it completely unusable and dropped it immediately. I'm not saying people shouldn't use it if it works for them but I don't think I could honestly recommend it to anybody.