[BrandonDC]

Password security is a shared responsibility between the company storing the password and the user who chooses what password to store. As a user, you rarely know the full extent to how a company manages the storage of passwords so the responsibility truly rests on your shoulders to choose unique passwords for each service that you use.

[dpark]

This is simply not realistic. I've got hundreds of accounts online. I cannot remember a truly unique password for each. It's not possible (not for me at least). I can't even remember all the sites I've got accounts.

A lot of people implement their own hash ("I use a base password plus the second letter of the url and the number of letters in the domain: dumbe18"), but this is not unique per site, and these hashing schemes don't tend to be as unique or as hard to figure out as one might imagine.

There are utilities now that try to help, but I've not found one that's even remotely convenient when it comes to accessing sites on multiple computers, my phone, and my tablet. Not to mention I'm putting my trust in a 3rd party to handle all of my passwords when I do this.

[cpeterso]

I use the SuperGenPass Password Generator bookmarklet. It generates site-specific passwords by hashing the site's domain name with your master password. You can save bookmarklet offline or host in on your own web server so you can generate passwords when you are away from your home computer.

http://supergenpass.com/

The only problem is when SuperGenPass's generated passwords are not compatible with some site's unusual password restrictions. They I have write down a one-off password. A cool idea: a password generator bookmarklet that knows the site-specific password formats. The formats could be extensible (by bookmarklet developer and end users), analyze HTML5 form validation rules, or websites could publish a machine-readable password description microformat.

[dchest]

SuperGenPass uses a one-way hash algorithm (base-64 MD5) to generate passwords.

Bah.

Here's mine https://chrome.google.com/webstore/detail/hegbhhpocfhlnjmemk...

[BrandonDC]

Personally, I think it's more realistic to place your trust in one verifiable source (i.e. using the cross-platform KeePass with the encrypted database stored on Dropbox) than assume that "hundreds" of different organizations are all going to implement adequate authentication strategies.

What seems oddly unrealistic to me is that if one company exposes your password, you now have to not only remember all of the hundreds of sites you have accounts on, but log in to each one and change that one password that you always use.

[dpark]

I agree the current system is broken, but asking users to remember hundreds of passwords is no less broken. As for KeePass, the problem is that I can't get integration with a browser on my phone or tablet, so I'm left jumping back and forth between apps every time I need to log into something. Not to mention there's no official KeePass implementation for the Mac (unless I want to run on Mono). I also frankly think it's unnecessarily complex, but maybe I should give it a try again.

I really don't understand how you can take the stance that it doesn't matter if a site has proper password security. Why are you bothering to use KeyPass if you don't care about security in the first place?