I belive I do, but I am not entirely sure you understood my question. Apologies for the bad wording.
What I am saying here is say you have 200 entries, with a mixture of Maximum Security, Long, Medium, PIN password types and want to export the sites configuration, the only way is to actually export the file and import. Unless you remember the password requirements are for every single ones ( characters allowed, max password length, etc... )
Given the secure export file looks like this :
# Master Password site export
# Export of site names and stored passwords (unless device-private) encrypted with the master key.
# User Name: bla bla
# Avatar: 0
# Key ID: blablablabla
# Date: 2018-01-03T15:09:10Z
# Version: 22222222222222.5.2
# Format: 1
# Passwords: PROTECTED
# Last Times Password Login Site Site
# used used type name name password
2018-01-03T14:55:15Z 0 17:3:1 user1 blue
2018-01-03T14:55:28Z 0 16:3:1 user1 orange
I see little to worry about if this file possibly gets stolen. It's indeed not ideal, as login name together with other fields is used to generate the password ( along with the masterkey ), but I am not sure the burden of having to export and import again whenever you want to add a new site is much more appealing. Unless of course you do it manually on all of your devices.
on 16 Apr, 2018 03:04 PM
I have the same wish&problem. I have some hundred accounts to manage.
Some systems force you to use a certain login name (or your preferred is already taken - ok i can use the [email protected] notation).
Some „clever“ admins force you to change passwords every 3 months.
And some sites have annoying limits on password lengths or charactersets.
The latter two aspects makes it really impossible to remember for 200 entries.
And how can i transfer a list of 200 to another device? There is an export feature, but i couldn’t find an import function.
If there were an export & import function, i could transfer it while inside a secure network.
It's important to be conscious of the fact that Master Password is not supposed to be an app that keeps track of things for you.
It is supposed to be a calculator. Calculators don't sync things.
As soon as you start using Master Password to keep track of things for you, you're falling into the pit that we're trying to save you from. You become dependent upon state. If the state ever disappears due to loss or corruption, you are in the same bad spot as you would have been with a regular vault-based password manager.
It's my recommendation that you try to simplify instead of trying to keep track of your complexity.
Pick a default password template that best supports your use case. For rotating passwords, use the password counters. If passwords rotate based on chronology, use a counter that encodes the chronology so you don't need to remember the counter value itself. (eg. every year, increment by 10, every quarter of the year, increment by 1)
> As soon as you start using Master Password to keep track of things for you, you're falling into the pit that we're trying to save you from. You become dependent upon state.
In a way, you are always dependent on a state. The site you are tying to log in requires not only your password, but user name as well. Here is your state. You can chose to remember it (together with all other metadata to hundreds of sites), or you can save and sync it using one of the numerous cloud solutions (I prefer chrome extension, and just synching chrome extension state).
And yes, sites use ridiculous password rules that users have to dance around by choosing weaker patterns*, and sometimes sites force you to come up with a new password as well. It's a burden for user to carry that a good MPA implementation can help with.
Specifically on default templates: there is a way to solve a situation when site doesn't support specific characters without weakening the template. Consider an option to let user specify what special characters site explicitly rejects, and generate new passwords with the same template (maximum, long) increasing the counter until the requirement is met. Remember that counter in the metadata - and you are good!
Note that you can also generate usernames, so you could avoid having to remember a username.
In terms of allowing custom templates: I'd rather avoid this, since that means you need to reconstruct the rules you used for a site when you generated your password for it when you want to regenerate the password later (ie. the site-specific rules become state). Further, password rules can change.
Ideally, I'd prefer to look into getting one or two templates that are maximally accepted by sites all over the net. Key here will likely be: keep the character set as basic as possible and gain entropy through password length.