[baak]

I'm no expert, but why does this have to be done on the password level? Why can't we just assign usernames to our own sites, and force people to login with those? I know that's incredibly annoying for a user, but it would at least guarantee the user credentials for your site are unique from any other site.

[PeterisP]

This would mean that there are two "passwords" that I have to remember - the userid and the actual password. Chances are, your site isn't worth it to remember a new uid. (I counted that only 5 out of my 150 stored account passwords are for something worth remembering anything at all.) If you are important (say, paypal or gmail) - do two factor authentification. If you are not - don't bother me. Even creating an account is already more effort than most sites are worth.

[MiguelHudnandez]

It is equally obnoxious to generate a random string of garbage and:

* insist it's the username,

* insist it is in the password somewhere, or

* make them type the string in a third logon field

It adds friction to the process in order to solve a problem that is not "ours" to solve.

An option with less friction would be to ask them to choose a picture from 16 candidates. The 16 candidate photos would need to be generated from the username to avoid the ability to refresh the page and find the persistent image. Each image could have the random characters associated with it to be used as an addendum to the salt, or for whatever purposes on the back end which the random characters are supposed to accomplish.