[StavrosK]

What do you mean "not that secure either"? 8 random upper-lower-numeric characters are 47.6 bits of entropy, that is 47.8. I'd say that's decently secure, and the suggestion that you bcrypt your username with the site's domain for a salt is pretty much the definition of security through obscurity, like the other commenter said.

Please don't discourage good practices. Four random words is a lot better than "password123", though it would still take 1.5 day to crack it if it were stored as an MD5 hash. Six words would take 65 years at 1ghash/sec, which is pretty damn good, and better than a 12-char random password. 5 words would take 16 years, which seems like a pretty good compromise.

EDIT: Although, I don't like straight-up Shannon entropy as a measure of password strength.

[venomsnake]

I gave the bcrypt example as a anti-pattern if I didn't make myself clear.

Any password derivation scheme works brilliantly until you are the only one using it. The moment it becomes widespread and people begin to target it - it goes anywhere from significantly weaker to trivial to crack.

[StavrosK]

The problem with that is that password derivation is entirely reasonable and encouraged. It's what PBKDF2 does (the "KD" stands for "Key Derivation"). Securing your passphrase with a few thousand rounds of bcrypt and salting with the domain is a great way to strengthen it, since you don't have to trust any shitty MD5 password storage mechanism the site has, the attacker has to brute-force bcrypt to be able to get your master passphrase.