Stateless Password Managers | NSC #65

Password Managers

Tired of having to update your offline password manager on all of your devices when you add a password. Don’t trust cloud password managers? You’re in luck. During our courses, we always talk about two different types of password managers: offline and online. An offline password manager (ie. KeepassXC) stays on your local device and never touches the internet. An online password manager (ie. Lastpass) stays in the cloud and requires you to sign into an online service to gain access to your passwords.

Offline Password Managers

Both password manager solutions come with their own issues. Due to the nature of offline password managers, you have to manually update your password manager database on each device you want to have your current copy. This becomes messy very fast and requires some sort of version control in place so you don’t overwrite new passwords with old passwords. The main benefit though is that you have physical access to your passwords every step of the way.

Online Password Managers

With an online password manager, you have the opposite problem. Version control is no longer a problem. Every time you update a password, it’s automatically changed in your account. The next device to access it sees the current version. The main downfall is, of course, that all of your passwords are stored somewhere you can neither see nor touch. While online password manager services go to great lengths to protect your data, always remember: if you can access your passwords anywhere in the world, so can anyone else. The only thing between them and your passwords is your master password, so make it strong!

Stateless Password Managers

With all that being said, let’s welcome a third contender into our already complicated world of password managers: stateless password managers. In a nutshell, these type of password managers don’t actually manage any passwords, they don’t even really exist. Instead of storing passwords, they generate your password based off of predefined values you supply it. For instance, if you want to sign in to your Gmail: you would supply your username, gmail.com, and your master password. The password that is generated from these values will always be generated the same way no matter how many times you try it. This is due to magic, also known as math.

With the power of cryptography, you can take a bunch of values, mash them together and generate a password based on those values. Next time you run the same algorithm with the same values, you get the same password because nothing has been changed in the process. If you’re a math major, it’s basically like plugging the same values in for x and y in the same equation: you always gets the same solution.


Of course, the stateless password manager has its own issues mainly its very design: you can’t save anything. This means that backup codes, PINs, security questions, etc. will need to be remembered, which completely defeats the purpose of having a password manager in the first place. Another issue is dealing with site password restrictions. If you have to tweak the generated password even slightly, there’s no way to save that tweak.

The worst issue we see with this, by far, is the master password. If someone were to guess or steal your master password, they would have the ability to get into all of your accounts, both present and future. The master password is the secret bit of information on which all passwords are generated with. This is assuming you use default options. This can be very dangerous if you use your master password for anything other than to generate your other passwords. This also becomes an issue if several people use the same password such as the class favorite: password


All in all, stateless password managers will not replace every other password manager. They can be very useful in places where you cannot (or don’t want to) access your password manager like a public computer at a hotel or a school. If you have an account you need to access on the way to the airport to print your ticket, this is perfect: just access the web version, type in the correct values and login to your account. The only other option is to either use a memorized password (which probably sucks) or use a USB dongle (ie. OnlyKey, YubiKey, etc.) to type out your password if USB devices are allowed. The point is: passwords are a pain to remember. Anything that we can add to make this process easier is a welcome addition.

Questions, Comments, Concerns?

Let us know in the comments what you think!


Leave a Reply

Your email address will not be published. Required fields are marked *