> (Though if you've found a good option, that will allow me to easily sync across my home desktop, laptop, office pc, tablet, and smartphone, without using the cloud, I would absolutely love to hear about it! Maybe something Bluetooth based?)
I don't know if it meets but your needs, but I love PasswordMaker (http://passwordmaker.org). There is no need for sync'ing, because the password is generated from a master password and configureable per-site data (by default, the web-site address; but you can add more data sources if you don't like that). It has an extension for Firefox that auto-completes passwords (configureably, remembering the master password per session so that you don't ever have to type it); there are widgets for Windows and Mac OS; there are Android and iOS apps; and, always, there is the fallback web page, which you can use anywhere that you have a web browser.
EDIT: Since I am trying to indulge in quite a bit of advocacy here, I want to make it clear that I am in no way affiliated with the project. I just stumbled on it a long time ago, and have been delighted with the way that it fills my needs.
I tried to use something similar a long time ago (SuperGenPass). The problem I had with it was that often times the password would not meet the password requirements of the site. Sometimes it's too long, sometimes there weren't enough numbers or symbols. I couldn't use it if I'd have to remember that it didn't work for particular sites (after all, the whole point is not having to remember information for each site). How does passwordmaker fair with that issue?
PasswordMaker allows you to tune the length and character set. You have to remember your site's password requirements, which is not so easy to do (usually they are only made available when you try, and fail, to change your password; in particular, only when you are logged in); but, in practice, I've found that using the default settings, and then using restricted settings (shorter length and A-Za-z0-9 character set) if that fails, works on every site I've ever used. This means that, if you are willing to endure the occasional inconvenience of having to re-enter a password, you don't have to remember anything per-site.
I hate any website that imposes a specific password format on me. I have a fondness for vaguely pronounceable passwords and I tend to use all-lower case for anything I have to enter on a mobile device.
So - reject my 16-character all-lower case password because there's no numbers or punctuation in it and you know better than me? Grrrrrrrrr.
That means one compromised password - your master password - compromises all your sites. That's the kind of risk I can't stomach.
LastPass is a huge target, yes - but (if we trust them) the data is only decrypted client side, so they have no access to it. Which means the only viable exploit is in the lastpass browser extension.
This is one of the things that scares me. If an attacker had access to dump their credential digests, could they also have modified the site to silently log credentials upon entry?
From their statements so far, it doesn't seem that happened, but it seems likely that it could.
It's a whole different cup of tea though, this compromise required the attacker(s) to go in, download data and get out. Your scenario would also require the attacker to have changed their site and go unnoticed for any significant amount of time.
If that was the case I'm sure Lastpass would've found out and reported as such.
> That means one compromised password - your master password - compromises all your sites.
I agree, but it's hard to see how it could be compromised, since it is never entered anywhere public-facing. You can, but need not, have the Firefox extension store it, but only in memory. It is also possible to use the PasswordMaker website (once loaded) without an Internet connection, in case you are worried about it leaking data.
I wrote WebPass ( http://webpass.rkeene.org/ ) for a similar reason. It's extensible with domains having password requirements and does syncing (of parameters for passwords, never actual passwords -- since they are generated). The UI is bare, but it's open source (and aside from the syncing, done entirely client side).
The sync'ing is done with a FIFO, two clients connect with the same key and they each get what the other one POST'd, no data is logged on my side.
Not only do I see this issue groby_b rasies as a huge one but I'm not sure how this is supposed to work for sites that have various password requirements. Most of them don't display the requirements on the login page (or even on the signup page sometimes) so now I need to remember that on a per-site basis which is just as bad as having to remember different passwords IMHO.
> Most of them don't display the requirements on the login page (or even on the signup page sometimes) so now I need to remember that on a per-site basis which is just as bad as having to remember different passwords IMHO.
I don't know if it meets but your needs, but I love PasswordMaker (http://passwordmaker.org). There is no need for sync'ing, because the password is generated from a master password and configureable per-site data (by default, the web-site address; but you can add more data sources if you don't like that). It has an extension for Firefox that auto-completes passwords (configureably, remembering the master password per session so that you don't ever have to type it); there are widgets for Windows and Mac OS; there are Android and iOS apps; and, always, there is the fallback web page, which you can use anywhere that you have a web browser.
EDIT: Since I am trying to indulge in quite a bit of advocacy here, I want to make it clear that I am in no way affiliated with the project. I just stumbled on it a long time ago, and have been delighted with the way that it fills my needs.