[mbid]

If you're already using a password manager, shouldn't you be using different (random) passwords for every service anyway? What's the point then?

I guess it makes sense to use this if you've begun using a password manager without changing your old passwords. But if possible you should really be doing that instead.

Also, I still don't understand why Troy doesn't use a cryptographically secure hash function instead of SHA1. Say I send the (truncated) hash of one of my passwords to his service and it returns no match in his database. I then consider it secure because it's supposedly not leaked. But shouldn't I really do consider it leaked because I've revealed an insecure hash of it to a third party? What's there to lose with using a secure hash function over SHA1? Surely the one-time cost of hashing the database of passwords is negligible?

[jstanley]

Just because you're using a password manager doesn't mean none of the services you have a password on has had a leak. In such case, you'd still want to change your password on that service.

[esnard]

Thanks to k-anonimity, you never send the full hash, only the first 20 bits.

[mbid]

Yes, I know. It's certainly better to leak only the first eigth of your password than all of it, but it's still not something you should do.