Just so we're clear: your assertion is that because the password generator uses a non-cryptographically secure PRNG, generating unique 20+ character alphanumeric passwords for every login is worse than people's default behavior?
I mean, I get that it's worse than other keepass implementations - that's obviously a problem - but if this gets people to stop using "hunter2" or "p4$$w0rd" that's got to be worth something, right?
No, it's not worse for your scenario. (That wasn't my assertion)
However, this is an alternative to KeePass/KeePassX, so the typical behavior of KeePass users is to generate passwords with it, not reuse bad passwords.
For example, I use KeePassX to generate strong passwords for long-term encrypted archives, and if I switched to this app, I wouldn't get the same security.
I'm confused, though, should I say: "All right, people, fuck it, generate your passwords with Math.random! YOLO!"
I use KeePass and I don't use it to generate passwords. It's a pain to open and close every time I need to login somewhere, especially if I'm on mobile. I use it for when I forget my passwords, and I honestly believe that is the common use case, but who knows?
I hope that's not a common use case (among the technologically literate). I would expect said individuals to have far more passwords of sufficient length and complexity (not to mention duration) than could reasonably be remembered.
Lastpass, being primarily a browser plugin, makes generated passwords much more convenient. When I'm setting up a new account, I press Alt-G to bring up the generator dialog, and then it auto-fills when I need to log in. I honestly don't know most of my passwords (I still memorise my primary email password, so I'm not totally stuck if I lost access to LastPass).
This is a compromise, because I'd prefer to trust an open source tool and an encrypted local file, but I trust Lastpass enough, and the convenience is very nice.
There's addons for Firefox (KeeFox) and Chrome (ChromeIPass), making the UX of KeePass pretty much the same as of LastPass. I've switched about a month ago and am happy.
There's addons for Firefox/Chrome as well as apps for Android that enable autofill and other stuff you might expect from a modern password manager (making the UX pretty close to LastPass).
I've been pretty happy with keepass2android's keyboard integration. It avoids the clipboard entirely and helps autoselect the right password and username if you let it. It also supports using a HOTP NFC token in conjunction with the master password.
I know it doesn't add that much security since a determined attacker could still brute force the OTP with the way it works but it keeps out the casual attacker that's not that savvy.
The intent of KeePass is generally to let it generate sufficiently strong passwords for you, and a way to store those passwords. It's probably a bad idea to store passwords you've devised in it, because then you're not getting any additional security.
I use KeePass across a range of devices, including my phone and laptop. I keep the dictionary synced with Syncthing.
I use it regularly to generate new passwords for websites, refreshing old website passwords (hello Heartbleed!) and logging into existing accounts. I also lock down the security questions so they can't be guessed. I'm now logged out of most services by default, especially banking, and the dictionary auto-locks after a short time.
Once I accepted a small price of inconvenience in setup and use, it has a positive impact. Now I remember only one password and updates are kept in sync across all my stuff.
Yep, I use KeePass primarily for password management, in most cases I don't control what the passwords are - how else am I meant to store all these different client VPN credentials?
Security experts are really bad about explaining their positions. I don't doubt that you are right, but can you lay out the scenario for me where my Reddit account will be hacked because I used Math.random() to generate the password?
Hmm, I tend to think of KeePass as a manager for passwords for accounts, services, etc. I hadn't considered storing archive passwords in it, or are you only using it to generate them? It seems like pwgen would do that fairly well...
I mean, I get that it's worse than other keepass implementations - that's obviously a problem - but if this gets people to stop using "hunter2" or "p4$$w0rd" that's got to be worth something, right?