It clearly isn't going to change: This story has played out time and time again as password databases are compromised and accounts are exploited. While those attacks get the loudest attention, it seems likely that there are much quieter misuse of credentials by the people who you trust with them. If you used the same password for iTunes or PayPal that you used for some random site, for instance, it seems obvious that the rolls of the dice will yield a compromise at some point. Even if they carefully scrypt your password before putting it in their database, there are zero guarantees that the sites themselves aren't doing other things with it.
So what is the solution? A better input type="password"? OpenId, OpenAuth, or Facebook Connect, putting more eggs in one basket? Two-factor authentication (widely usable now with OATH implementations of HOTP/TOTP in smartphone apps)?
Something needs to improve because the same story keeps playing out."
Link to Original Source