F. A. Q.

Seriously?

Yes.

Doesn't that mean anybody who gets into my email could break into my accounts?

Yes. That was already the case, whether you use NilPass or not. Without NilPass, they also could get in by guessing your password. All using NilPass does is reduce the number of ways you can get pwned.

What if somebody guesses the password that NilPass sets?

With 80 bits of cryptographic entropy (what NilPass uses by default), the odds of that are literally one in a million billion billion. If the NSA dedicated all of their code-cracking computer power just toward cracking your NilPass password, it would take them somewhere on the order of tens of thousands of years to find by brute force.

I know, 14 characters doesn't look like much, but exponents are tricky like that.

How can you call this "impenetrable" when it's just a browser extension?

Okay, I concede that the extension itself isn't truly impenetrable - it's only as "impenetrable" as the browser itself. On top of that, the account that publishes the extension could also get potentially compromised at some point in the future. These are valid points. (Of course, they're also points that are true for any other password manager with a browser extension.)

Where NilPass is impenetrable, in contrast to any conventional "password manager", is in the realm of what could happen to your existing passwords in the event that the manager is compromised. Since NilPass doesn't keep a record of any sort of data that could be used to reconstruct the password, there is no way that your passwords can be stolen from NilPass after the fact in the event that the codebase is compromised.

Some of my websites don't offer password reset by email, or if they do, it's really awkward.

Well, then don't use NilPass for those websites.

Look, I'm not saying this is the be-all-end-all of credential management. The truth is, there are some situations out there where it's fully justified to use an actual password - the kind that you actually memorize, and produce from memory every time you need to authenticate yourself.

The thing is, that's not every site - for the long tail of sites people use, where you're only logging in occasionally, maintaining a password is a nuisance, one that is fragile and error-prone. For sites like these, you're better off just disabling password access, and relying on your email inbox as your center of identity (especially since that's likely how the rest of your online life already works anyway, more or less).

But yeah, if you have a site that you log into frequently, and it's inconvenient to check your email every time, and you want it to be secure, you're better off just using a real password - one you keep in your head, not your computer. (That's not to say you have to memorize it by itself - there are lots of good mnemonic devices you could draw inspiration from. I recommend Hashblot.)