For example: http://www.win.tue.nl/cccc/sha-1-challenge.html -- the winner is cracking SHA1'ed passwords at seven thousand times the speed WA uses in their estimates.
Try a pass-phrase with
Still a work in progress, I guess.
A different password on each site is unacceptable. Being locked into lastpass and the like is also unacceptable.
BrowserID means I can't use different browsers easily. Pass.
An email/token based solution means 1) Users do not have to go through a tedious registration process. 2) Users do not have to remember a passphrase (or worse, a password), which by the way is the most arrogant thing a site can require of its users. By requiring passwords you are telling your users that you're super-duper important and worthy of the memory space. You're not. 3) Logging in and signing up are now indistinguishable from the user perspective.
BrowserID requires a single time email verification for a given browser, nothing precludes you from using it with multiple browsers. By definition, it's easier and less intensive than what you're proposing.
>A different password on each site is unacceptable. Being locked into lastpass and the like is also unacceptable.
I'm not locked into LastPass. There are alternatives and I could hack one together with minimal effort.
The other points you bring up have little to do with authentication and more to do with duplication of (often necessary) profile information. There are other solutions for that include extensions to OpenID and oAuth.
Alternate ways of generating strong passwords on your local box that I'm aware of:
* Mac OS X users can launch Keychain Access, click the + button, then the Key button on the very right. This gives you a dialog window which will generate strong passwords in various configurations, such as memorable ones.
* The pwgen utility is available on several Linux distributions and on Macports. It too can generate memorable passwords. Check out the -s and -y command line options and note that you can give the desired password length on the command line.
Any other recommendations?
APG (Automated Password Generator) is the tool set for random
password generation. It generates some random words of required type
and prints them to standard output. Advantages:
* Built-in ANSI X9.17 RNG (Random Number Generator)(CAST/SHA1)
* Built-in password quality checking system (now it has support for Bloom
filter for faster access)
* Two Password Generation Algorithms:
1. Pronounceable Password Generation Algorithm (according to NIST
2. Random Character Password Generation Algorithm with 35
configurable modes of operation
* Configurable password length parameters
* Configurable amount of generated passwords
* Ability to initialize RNG with user string
* Support for /dev/random
* Ability to crypt() generated passwords and print them as additional output.
* Special parameters to use APG in script
Some persons says that a pass phrase is safer password and it is indeed math true. However, currently most of the systems have catpchas or block out and brute force or dictionary attacks are no longer used.
One of the more effective methods is for example: you made a user in a weak page like a blog or something and then a someone break into a obtain a email account and the password for the blog.
Maybe if the hacker is smart enough he could try the email account with same password found and they got you.
So, different passwords is the safest method you can lastpass, 1password, keepass to remember your password.
They also allow to use multi-step security using OTP devices like yubi key or RDA token