Humans are notoriously bad at choosing passwords, so what about this approach:
When you register for an account you write down on a piece of paper 4 words chosen at random by a computer (eg. "regain gauge chest Texas"). Then to log you provide (a) your email address, (b) your password, and (c) the passphrase printed on the paper.
This is bit of a pain for the user, but it would greatly strengthen the security of the website because it would not depend on the security of any other websites. For a to-do-list website I can see it's not worth it, but I cannot understand how some financial websites still think it is acceptable to use only email+password authentication. (I'm looking at you, Mint.com and Schwab.com).
PS: I just tried registering for a Mint.com account - it didn't let me use "password" as my password, but when I used "password1" it said, "You have a Good password". Wow.
That's just a bigger password that they're instructed to keep a copy of then? If you're going to do that, just add a proper OTP factor like a SecurID token that they can carry with them.
Yes a SecurID token is probably more secure than a piece of paper, but it is also less convenient and more expensive.
Also, the piece of paper with 4 words will have 52 bits of entropy while a SecurID token with 6 digits has only has 20 bits of entropy. So I wonder whether SecurID would be easier for an attacker who has access to the password hash and salt to derive the original password...?
In any case, whether you use a piece of paper or SecurID the main point is that financial sites which only require email+password are being negligent in their duty to protect user data from unauthorised access.
When you register for an account you write down on a piece of paper 4 words chosen at random by a computer (eg. "regain gauge chest Texas"). Then to log you provide (a) your email address, (b) your password, and (c) the passphrase printed on the paper.
This is bit of a pain for the user, but it would greatly strengthen the security of the website because it would not depend on the security of any other websites. For a to-do-list website I can see it's not worth it, but I cannot understand how some financial websites still think it is acceptable to use only email+password authentication. (I'm looking at you, Mint.com and Schwab.com).
PS: I just tried registering for a Mint.com account - it didn't let me use "password" as my password, but when I used "password1" it said, "You have a Good password". Wow.