- re. the XKCD - he ignores that many sites have a password length limit - and a few of them, at least, will be silently truncating, which makes a phrase worse than using linenoise.
Also, I don’t know about him, but in my world, the sites I care about all limit login attempts or speed, so you can’t brute force - the “1000 guesses per second” problem is solved by not having the same password on every account; use different ones on banking and Important accounts - none of which will tolerate that sort of behavior from outside, and a shitty generic one on useless sites like forums because who gives a damn about forums.
And lastly, the Bad People don’t care about my account. They care about getting “easy” accounts; the people who use “Password123” and the like are all screwed.
On your suggestion - I absolutely reject any centralized system where a single point of failure breaks everything and a single security issue compromises everything I do.
Have fun pushing it - I ain’t taking it.
I mean, sure, it makes your life as a website operator easier.
Good for you. Not my problem as a user, however. I don’t care about making your life easier (nothing personal!); I care about mine, and “magical browser-based just works once you give a browser your master super-password” is BAD.
I don’t want to have to give Someone Else’s Computer my Master Credential Authorization to, say, play Kingdom of Loathing.
No. Just no.