NoCrack seems extremely vulnerable to a crack since they create decoys on the fly. It should be fairly trivial to pick it apart and tell when you're getting a real password from the vault. As for the stateless password managers, they operate without any kind of wallet which is their problem. Also you can't change password for any reason, that's a problem too. If you have a wallet most the problems go away. I'm thinking as follows:
The wallet stores a PRNG value to avoid various rainbow attacks. For each site/login the wallet stores a 128-bit PRNG and how to extract the the password from the hash.
Upon entering a password, the software shows you:
a) The fingerprint of SHA1(unique key+password) in some user friendly way so you might realize a mistyped password
b) For each site/login SHA1(unique key + password + site/login key).toBase64().substring(startPos, length)
For example,
When I generate the wallet, there's a random seed. Lets say it's
1234567890abcdef.
I add a site/login called "Slashdot" and it generates a site key:
1122334455667788
My password is "go fish"
When I type it in, it generates SHA1(1234567890abcdef + "go fish") = "PFr7t9qfAP9PFVG0+Vvbez82rW8=" and I know that if I type the password right it should start with PFr... something.
My hash for slashdot is SHA1(1234567890abcdef + 1122334455667788 + "go fish") = "8ktw2l8XVdI81/6TvEcg5EbxJ90="
I pick some part of that which satisifies this site's requirements like "ktw2l8XV" and the wallet stores (openly) that it'll take startPos = 2, length = 8. If nothing works because the site is weird, I can always generate a new site key and I'll get a new string to choose from.
If you type something other than "go fish", you'll get a different set of passwords but no indication whether it's right or wrong. Some of those passwords might fail the site's passwords requirements, but that's a very weak elimination.