[dredmorbius]

No: you hash the master password, locally, and use that hash as the value you provide the remote site.

Now, they should also hash the hash, so that should it be know, your account on that site and that site alone cannot be compromised. But your master password is safe.

One of the problems with a scheme such as this is sites with multiple subdomains that use the same account per user. I'm thinking of Stack Exchange and Slashdot, for example. So simply using the hostname to generate a hash won't quite work.

But either this or the PKI method would be vastly preferable to what exists today.

For myself: I've been generating unique, per-site passwords for the past decade or more, and saving those in an encrypted database. Multiple copies of that spread around to prevent loss of access in the event of any single system going down. But otherwise: secure.