[Shank]

The real problem with humans is that passwords are still hard to remember for multiple services. Doesn't matter if you have a secure password and it's used everywhere.

Likewise, if it's used with LastPass or 1Password style services, you face the problem of dealing with entering it. Though a desktop PC is fine for this, the best counter-examples are mobile devices.

LastPass on mobile: 1. Use app that needs a password. 2. Realize password is in LastPass. Exit app, find LastPass. 3. Open LastPass, and login. 4. Copy password. 5. Switch back to the other app. 6. Enter password.

This is so tedious that people are going to re-use some password just for the sake of not having to do the above every time.

[bad_user]

The rule of thumb I'm using for password management ... if losing everything means you'll lose your passwords, then that's not good password management. But you also need unique passwords for each service.

My passwords are generated using HMAC_SHA256( global password, domain_name, salt ). My global passwords is a 7 words phrase, contains capitalization and 2 words that are not in the dictionary. Each password generated is unique for each website and reasonably long (settled on 32 chars).

This is not perfect but works well.

Related to your problem of usability ... I use Firefox on my mobile and through Firefox Sync I get all cookies synchronized from my laptop. Meaning that I am rarely required to enter passwords on my mobile.

[barrkel]

Android password app: Menu, Share Page, select Password app, type password, then Back and Paste. It's not that bad.