[stepstep]

Stanford published a paper that is basically the exact same model: http://crypto.stanford.edu/PwdHash/pwdhash.pdf

This is not a new technique. In addition to the Stanford paper, there are several other implementations mentioned in these comments. It's a compromise, not a mistake. It is better to memorize one strong password than a dozen weak ones.

This isn't custom crypto. It's a well-known hash function that serves as a filter, transforming the passwords you would otherwise enter directly into a website's login form. It is no less secure than typing in passwords by hand.

[moe]

Stanford published a paper that is basically the exact same model

Um yea.. "basically".

Except they demand an 'ultra-slow' hash function in that paper. You ignored that requirement and that makes your implementation equivalent[1] to using the same password for all websites.

[1] https://www.achilleslabs.com/product/4

[stepstep]

2^16 rounds of SHA-256 might not be "ultra slow" but it's certainly not as bad as you make it seem. If you read the analysis in the article, it would take many years to crack a random password with this hash function. It's unfair to say I "ignored" that requirement.

[moe]

If you read the analysis in the article, it would take many years to crack a random password with this hash function.

You are wrong. Your analysis is based on the premise that an attacker might be able to compute "a billion hashes per second".

As I just showed you in my previous comment anyone with $3000 USD can actually compute at least 6000 billion hashes per second.

This means it takes about 11 days to crack a random 8-character alphanumeric password. Not 200 years as you claim.