I finally released : Pain-free Passwords 2.2.0! Get it here:

This is a major one, lots improvements here. The most noticeable one is the user interface, the tab strip on the left should make it much easier to navigate.

Previous screenshot shows a minor improvement: website name is a link now. Here is one more: you can copy the user name from the password menu. Oh, and you can navigate both the password list and the password menu with arrow keys:

A big one: no more "Easy Passwords 1.x compatible password" here, weaker password generation is gone for good. If you still had any legacy passwords these will be converted to stored passwords now, same happens when importing backups with legacy passwords.

The visible change: sync should now work with any server supporting remoteStorage protocol ( The bigger but rather hidden change: sync protocol requires even less trust in the storage provider now, no tampering with the data should succeed.

Selecting a site got its own tab now, so it's visually different from choosing an alias for a site and should no longer confuse anybody.

And PfP options are part of the pop-up now. You can still get to them the way your browser lets you configure extensions. But quite frankly, how many people managed to find them there?

Another big but not quite noticeable change: autofill functionality will try to fill out user names if the page has no password fields. This should work well with most of the pages that split logins to two pages, or if you need to use "password reset" functionality.

Oh, and did I mention keyboard navigation being more convenient and working far more consistently now?

Full list of changes:


It's a neat idea and I respect your work.

However isn't this in general a bad idea and not really a password manager?

: "Most passwords never stored but generated when needed"

I'm no but _generating_ or in this case aka _storing_ passwords like this is inherently insecure?

@sillystring It all boils down to the password derivation algorithm that you choose, weak master passwords should not be too easy to guess. I wrote about it here: - and most password generators indeed didn't perform well. PfP was called Easy Passwords back then and used PBKDF2, we now upgraded to the more secure scrypt algorithm.

@sillystring In the end: yes, generating passwords will always have this additional attack vector, as opposed to merely storing them. However, with a proper derivation algorithm and a master password that isn't "password1" the risk here will be very low, particularly if compared to the other risks password managers are exposed to. Yet the gain when you need to recover your data is massive and outweighs the risk by far.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.