As someone who looked seriously at a scheme like this before reluctantly using a password manager instead, part of the appeal comes from vault anxiety. If I don't have the vault and a tool to use it, I can't access my accounts.
I like the idea of a scheme that I can use with a preferred utility, but which I could assemble from commonly available tools if necessary. It's not too hard to find PBKDF2 in a Python or JavaScript library, or reimplement it yourself using even more commonly available primitives.
To be clear, I was never under the illusion that a password generator is as secure as a vault full of random passwords. The point is to improve on password reuse, or trivial transformations on a core password. If you generate random passwords for every single account, this is not for you, but it's probably better than storing weak passwords in a vault.
The problem, even if you ignore the straw men that usually get pummeled on threads like this, is that as you address the practical and security limitations of a naive scheme, you tend to lose the simplicity of the initial idea. You end up adding counters and password rules, so you have state to maintain/sync. Even if you don't treat it as secret, it chips away at the essential appeal of the concept. One comment on this post even mentions using a key file.
I like the idea of a scheme that I can use with a preferred utility, but which I could assemble from commonly available tools if necessary. It's not too hard to find PBKDF2 in a Python or JavaScript library, or reimplement it yourself using even more commonly available primitives.
To be clear, I was never under the illusion that a password generator is as secure as a vault full of random passwords. The point is to improve on password reuse, or trivial transformations on a core password. If you generate random passwords for every single account, this is not for you, but it's probably better than storing weak passwords in a vault.
The problem, even if you ignore the straw men that usually get pummeled on threads like this, is that as you address the practical and security limitations of a naive scheme, you tend to lose the simplicity of the initial idea. You end up adding counters and password rules, so you have state to maintain/sync. Even if you don't treat it as secret, it chips away at the essential appeal of the concept. One comment on this post even mentions using a key file.