I wrote by hand and keep my password with this

I keep my password tattooed on my penis.

Needless to say it took a while getting the complete works of Shakespeare on there.

You can imagine what a bitch it is logging on.

this is what i do, except i wrote it backwards and change the extension to .sys

Well, basically, if one has master password and software - he can re-generate the list.
Or he just copies/photos your list

I don't think this is big problem, because all this is automated. As such it can be copied from RAM or media using leftovers.

The secrecy is what I don't like in your approach.
1. there is no "salt", and
2. there is redundant keyphrase for each password, which - nevertheless, can be reverse-engineered from final key-password.

What if you would use amount of letters (plus magic, multiple of magic or more "magic") of the target website.
Let me give you an example:

GOG.COM -> 3 letters before dot.
Semi-constant magic says "two times minus 1/3, rounded" = 3 * 2 - 0.33 = 4.
The offset is 4, its "salt". You constantly add it to each number row.

First letter G, iteration 1 + salt 1 = 2. Col G, Row 2.
Second letter O, iteration 1 + salt 2 = 3. Col O, Row 3.
Third letter G, iteration 1 + salt 3 = 4. Col G, Row 4.
Fourth letter C, iteration 1 + salt 4 = 5. Col C, Row 5.
Sixth letter O, iteration 1 + salt 1 = 2. Col O, Row 2.
Seventh letter M, iteration 1 + salt 2 = 3. Col M, Row 3.

I think you get the idea. If you look up my 1st post in thread, you will see that the magic is not static key, but "an algorithm" which transforms source hash list into target key. My method is about equal, but I don't have generator like in your version.

You generator is pretty interesting =]

I use keepass also, but since we're talking about password generators, I liked very much the idea presented on PwCard (not actually something new, or very bullet proof).

https://www.pwcard.net/

Thats interesting.. but I see some problems.
- no per-case regenerations possible. Some websites may ask to change password. Changing password would require to change master password, which would require to reset all the passwords.

- initial start code is static, some services are limited by pass length

- step 2 requires to code master password in each password using a card, which can be picked off.
If attacker steals or gets you card and has at least one password, he can reverse the master password using the card.

- if attacker manages to capture several raw passwords (and nothing else) , he can crack the whole card, because it consists of big static part and part which depends on openly available data (URL).

Just wondering how many times the police have been called when you need to login in a public place?

My password manager is a small notebook. Nobody can hack paper. :P

The algorithms of salt would make it a lot more of a hassle to read if you need to read it, since you're using it instead of a password manager. But yes I see where you're coming from, but at that point, unless you want to spend a lot of time looking up your password every time you login, a password manager such as KeePass is a better solution, from compromised passwords nothing can be reverse engineered.

Here

KeePass is piece of software. Its vulnerable, known, predictable, prone to hardware corruption, dependent, relying upon and sharing space (hard drive, ram, network ports) with other software. To escape majority of these problems, people tend to introduce even more attack vectors. Its more secure to store your passwords in a text file with random name than in dedicated known piece of software. But thats my point of view.

Where is the evidence for that? I have used keepass for ages both on main computer and portable apps. Never had any issue with it. That post you link to mainly seems to deal with this dropbox. And my recommendation is, always, don't use online services. They are always the weak link in anything you do and requires the vendor to continue to provide access. Under no circumstances would I use an online storage for anything, even synchronising favourites, do it yourself, organse it, and above all keep it away from the internet.

No, its just password db file getting corrupted and discarded as whole. Usual stuff.

Its just - KeePass and similar - are software. Unlike data file or piece of paper. They function like, within and depend upon software stack, require to function and are expoitable via hardware.

The idea is, the shorter the possible breakage chain, the more efficient it is. Of course, there are also probabilities, chances. But static data file is less probable to be corrupted than running code file. But most which confuses me, is that you use pretty specific software which is known. Like storing passwords in firefox, with malware targeting specifically this part. Ofc, KeePass file is probably very secure, at least much better than firefox plain-text password file in known location. Still, its a file in known location.
But you store all your passwords in one text file somewhere - the offender would need to parse whole filesystem to find the keys. Its like storing stuff in pretty big complicated safe inside the house, versus putting them inside a cheap fake book in your library.
I think the safe is much better protected against direct assault. But if attacker knows you have the safe in attack phase then,. bad chances. YMMV, but I choose portability, by that I mean ability to read the password list from any system where a drive can be hooked up to. Only running KeePass can read KeePass file. Any text editor can read text file.

There's a lot of things you can do to get seemingly random passwords for a ton of sites. For example, you can take the site's domain name + a personal password + the date and run that through a hash and wind up with something that appears to be rather random. Each time you need to update the passwords on all your sites you choose a new password and keep that memorized.

Realistically, it's rather unlikely that an attacker is going to figure out the password from just the domain name and the date the password was created. And in any case you'll be storing that information either way.

An attacker is unlikely to see more than a couple of your passwords at any given time, so trying to figure out how the password was generated is largely impossible. They'd be left with trying to either brute force the password or more likely abuse the password reset feature to get into the account. Or, I suppose try to trick you into giving the password away.

People tend to think that harder passwords are better and to an extent that's true, but realistically trying to brute force a password is a lot of work for not a lot of profit in most cases.

I started using Encryptr because it is simple, free and is available on Windows, Mac and iOS.

https://spideroak.com/solutions/encryptr