We introduce a novel approach to password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the information stored on the device is theoretically independent of the user's master password. Moreover, an attacker with full control of the device, even at the time the user interacts with it, learns nothing about the master password-the password is not entered into the device in plaintext form or in any other way that may leak information on it. Unlike existing managers, SPHINX produces strictly high-entropy passwords and makes it compulsory for the users to register these passwords with the web services, which defeats online guessing attacks and offline dictionary attack upon service compromise. We present the design, implementation and performance evaluation of SPHINX, offering prototype browser plugins, smartphone apps and transparent device-client communication. We further provide a comparative analytical evaluation of SPHINX with other password managers based on a formal framework consisting of security, usability, and deployability metrics.