Comment Re:Passwords are stupid (Score 2) 343
Are we sure passwords are stupid? They're certainly annoying when compared to using certificates or biometrics or whatever. Isn't the problem here more that passwords that are hard to crack are also hard to remember and also that password reuse is bad (m'kay).
I read an excellent article by Dennis Forbes recently who suggested a browser-based mechanism to deal with this. Basically, never send your password to the recipient (whether it's Gawker or your bank). When you type into a HTML password field, hash the password you type in with your username and the domain of the site as a salt and then submit that. That way no-one (including the site owner) has any chance to store or intercept your plaintext password.
Now if you use the same username everywhere, you might want to avoid "12345" as a password, but a single complex password could be used for all your sites without worry. It would be a different hash sent to (and stored by) each site, it would be immune to rainbow table attacks and if you use a good password it would also be secure against brute force attacks.
http://blog.yafla.com/input_typepassword_Needs_To_Grow_Up/
If browser developers were smart, they'd let you generate or enter a complex UID (generate it on your PC browser and then provide it to your iPhone, laptop, work PC and so on...) and salt with that as well. That way your passwords would work across multiple machines (if you used the same browser password) but it would add huge additional complexity to a brute-forcing attempt because now they need the domain (easy), your username (easy), your site password (hard) and your browser password (hard). So an attacker couldn't login to your accounts even if they beat your password out of you unless they were using one of your devices. Conversely, if they stole one of your devices, they'd still need to crack your site password.