Pass is great, but it's a very niche piece of software. I was actually surprised (but grateful) that it existed because so many people have a GUI password manager.
I have the Firefox integration (and I contributed to that integration) and like that much better than other software I tried in this space, not least because I understand all the moving parts so if they break I'm not helpless.
I actually did use the Stanford PwdHash linked above on some systems precisely because password managers were so unsatisfactory. But it's clearly true that if any solution in that class were significantly popular it begins to make sense for bad guys to attack that specifically - assume the gibberish in stolen plaintext passwords is actually output from a "stateless" scheme like this and brute force it. Once you decide to compensate for that (e.g. maybe you're going to have a 12 random character master password entered every time you log in somewhere) password management seems like the less awful option.
I'd like to see low value sites that this sort of thing is clearly most suited for (so like Hacker News, or Stack Overflow, not your bank) offering WebAuthn with no password. Blip, you're in. Very safe, but also very low friction.
I have the Firefox integration (and I contributed to that integration) and like that much better than other software I tried in this space, not least because I understand all the moving parts so if they break I'm not helpless.
I actually did use the Stanford PwdHash linked above on some systems precisely because password managers were so unsatisfactory. But it's clearly true that if any solution in that class were significantly popular it begins to make sense for bad guys to attack that specifically - assume the gibberish in stolen plaintext passwords is actually output from a "stateless" scheme like this and brute force it. Once you decide to compensate for that (e.g. maybe you're going to have a 12 random character master password entered every time you log in somewhere) password management seems like the less awful option.
I'd like to see low value sites that this sort of thing is clearly most suited for (so like Hacker News, or Stack Overflow, not your bank) offering WebAuthn with no password. Blip, you're in. Very safe, but also very low friction.