I have actually been thinking how terrible this situation is myself lately. As someone who doesn’t have deep crypto experience, I have a question.
I use a password hasher, where I use a not-terribly-long password plus the site’s hostname to generate a hash of arbitrary length (most of my passwords are currently 20 or 24 characters, e.g.)
What I’m wondering is, if you have a short seed word and an arbitrary hash length, does that produce sufficiently random passwords to make them as difficult to crack as user-created ones of the same length, or does that introduce an exploitable weakness?
Reason I’m asking is, could one not build an auth system that works the same way, and bake it into the client? Enter some simple string of say, 8-12 characters, with no restrictions whatsoever, and then a number from e.g. 20 to 64. To login, you then have to remember your (relatively simple) password, and the length, both of which could be used for any number of sites that work this way, because you would incorporate some unique key per site (such as the hostname). The client lib hashes all that crap and basically regenerates your password every time.