[cheald]

Big ol' hole here: You can't identify web apps by domain. Are you going to tell me I can't use "password123" as my password on store.foo.com and secure.foo.com (when they both point to the same database and the same user record)? Are you going to assume that passwords may be shared across all TLDs? (so I can re-use passwords on multiple separate apps on the same TLD)

It's a nice idea, but in practice, it would drive you insane because the web is not a nice uniform entity where everyone plays by a pre-arranged set of rules.

Just use LastPass and let it autogenerate passwords for you. It's stupid easy, and super effective. LastPass will even tell you how many sites you're using the same passwords on! ( https://lastpass.com/index.php?securitychallenge=1&fromw... )

[diego]

Nobody gets the point. The point is that you can't force 99% of the people to use something. What I advocate is enforcement on the part of the browser and / or sites. If the user has the choice to be lazy, no solution works.