I am an information security professional, so I'll offer some advice and my opinion. Personally, I don't use any password manager that uses reversible encryption. That's not to say that reversible encryption itself isn't secure, but that many online password safes simply don't secure their systems enough to guarantee your password's safety. Keepass is a good offline password safe, but again, it uses reversible encryption and there are better ways to manage different passwords across multiple websites in my opinion.
I use cryptographic hashing encryption which is one-way encryption to manage my passwords. I only need to remember one master password for all my websites and a unique complex and long password can be generated from that one master password. The idea behind it is to take that one master password that you remember, hash it with a tag or domain name that you are going to use the password for, and then a unique complex password is generated for that website. You can now have an infinite number of unique passwords generated from one master password that can be used to register on all your websites. The unique passwords will always be the same as long as you always use the same master password and tag/domain name. What makes this secure is that the passwords that are generate are never stored anywhere. Even if the algorithm that is used to generate the password is stolen, your passwords are safe. You never have to worry about an encrypted password safe file getting lost or stolen. As long as you can remember that one master password and keep it safe (in your head), your passwords will always be 100% safe.
I created my own utility to generate these complex passwords, but there are also online versions that utilize this same concept. One example of this concept is here:
https://www.guerrillamail.com/tools
Just put in a domain name (for example, amazon.com), then enter your master password and it will then generate a complex password for you to use for your amazon.com account (as an example). The password it generates will always be the same as long as you always enter "amazon.com" and your master password for those fields. The password it generates is never stored anywhere since it is generated using one-way hashing on the fly.
My own utility works a little better for my needs than the guerillamail version (if anyone would like the python source, I can share it), but that guerrillamail.com tool is still a good option for managing your passwords in a really secure manner. As a bonus, the site can be accessed on your phone if you ever need it, so you don't have to worry about needing access to an offline password store.
Interesting approach, but I'm not sure it's as safe as you're inclined to believe... especially the Guerrilla Mail method. You're basically talking about using tripcodes. In order to get consistent passwords using hash functions, you need either no salt or the same salt - but that is a technical side-trail that misses the two most important issues here. We'll assume you're (hopefully) talking salted, though.
Salts and accounts get compromised, and passwords get exposed off servers. Let's say you do use the [hashedpasswordfromguerrillamailgenerator]@[domain] method to generate passwords. Guerrilla Mail by virtue of function has to use the exact same static salt to their hashing algorithm, even if that salt is known/compromised, to ensure your username gets hashed out to your "official" inbox. It's the same reason for the utter weakness and worthlessness of tripcodes, and why everyone knew how to generate
!Ep8pui8Vw2, life
anon269. *cough* But I digress...
Okay, fine, let's say you do use a one-way hash to create a more complex series of letters and numbers to substitute in for your real password. Using the Guerrilla Mail "generator" for your password still leaves the @[domain] part unhashed. Unless you're typing in [passwordtobehashed+domainforpassword] as your "username" on their form instead of just [passwordtobehashed] to generate your password, the hash number spit out is
always going to be !Ep8pui8Vw2.
Let's say you use that method for password generation. So, you have your Amazon password "generated" using this method to !Ep8pui8Vw2@amazon.com, your Ebay password set to !Ep8pui8Vw2@ebay.com, etc. etc., for every last website password you use. Then one of the less secure websites has a security breach and your password gets compromised. Just for giggles, we'll say it's here. !Ep8pui8Vw2@mrmoneymustache.com is now publicly searchable as a known valid password for an account tied to lifeanon269@gmail.com.
Problem One: How is this more secure than using plaintextpassword@amazon.com, plaintextpassword@ebay.com, plaintextpassword@mrmoneymustache.com for your passwords? Yes, the actual password might have been hashed into a non-dictionary word in this setup,
but it's always the same hashed password. Having an exposed known username/password of lifeanon269@gmail.com for the username and !Ep8pui8Vw2@mrmoneymustache.com for the password means that anyone with more than two neurons to rub together is going to try using that email address with the first part of that password using the predictable second half of that password on other sites. Since you're using a single "master" password with this method, congratulations! You now need to change the password on EVERY SINGLE ONLINE ACCOUNT YOU HAVE because your "single" one-way "hashed" password has been compromised.
Of course, that's just one problem. There's also the lack of password rules and harmonization across the internet. There's plenty of websites that still place shorter and harder limits on the passwords you can use. Some limit to 20 characters or less. Some still forbid all non-letter/number character usage. Some forbid dictionary words in their password generation.
Problem Two: This method of password generation isn't going to yield a password that will work with each and every website that requires account credentials and passwords, which means your single password method still breaks under some circumstances, and you still wind up needing more than one method of generating and reliably recovering a password for some sites.
Now, back to the side-road mentioned earlier. Even if you did the [passwordtobehashed+domainforpassword] as your "username" on their form instead of just [passwordtobehashed] to generate your password and the other two issues weren't a factor, you're doing so using a known hashing algorithm with a known salt - which makes targeted attacks against users to crack their passwords really easy - maybe not desperately
fast as the math still needs to be brute forced by a computer, but still
easy to set up. The attacker knows it'll be a universal single password combined with the domain the password is linked to to generate the hash if each hash is found to be unique with every website best case scenario. Worst case, you're just hashing the password which brings us back to
problem one. Either way, the actual typed password that you know and use can be exposed, which means that even though you can do a "password reset" by changing the salt to keep the same password and generate a different hash, your core password can be reverse engineered and then known.... leaving you with a password you have to change anyway. This is why everyone knew what moot's tripcode was.
There's a reason why the greater public doesn't use the tripcode method to generate their passwords.
Just because someone knows how to use seven proxies doesn't make them an infosec specialist.
I kid, I kid... but seriously, if this is your job? You have some room for improvement here, and a blindness to an ideological concept that impairs some rational thinking, just like everyone else. Know you're not alone in this weakness, but you did just apply that in a very public way on the subject of personal security and passwords. Use that as an opportunity to grow, mature and learn. Unfortunately, people should take this idea with a grain of salt... pun intended.
Yes,
KeePass2 may have its own weaknesses and issues, but I'll take an offline password manager database for managing passwords over using a half-baked, one-way hash generator method that's inspired by using a futaba imageboard to manage my passwords. It's a cute idea, but it's a really bad idea in reality.