It's the right solution for anyone who actually cares about security. No amount of indignation (and no amount of concern for security in your own work) will prevent third parties that don't care about security from leaking your data wherever possible.

Network security isn't a person problem, it's a system problem. You can't fix system problems with personal solutions.

But security across multiple sites _has_ to be fixed on the person end, because it can't be fixed on the system end. If you use the same password for 10,000 sites, there's no fix on the 'system' end to make them all secure, because they're all run by different people. It only takes one of them to fuck up.

Third option: there is no "fix," on either end, so telling people to change all their passwords is pointless.

I fixed it for myself by using a password manager. I only have to worry about securing the (encrypted) database, which is comparatively trivial.

I'm still vulnerable to the "supercomputer cracks your encryption" attack but that's orders of magnitude better than having my bank account compromised because some blog leaked my universal password.

Edit: If there were no fix, changing all of your passwords would be the only option besides letting the Internet at large have your accounts. Unless I'm misreading you.

The example was 10,000 sites, so changing all of your passwords being the only option is no option at all.

Good security comes in layers. You are right that you can't control all the layers, but you can make the layers you do control stronger. In today's world (which isn't ideal) that means good password management.

My reccommendation is to use "nonce + domain name" for all of the sites you need passwords for and then hash it.

  $ echo password@$(echo nonce+hackernews.com|md5sum|tr [[:lower:]] [[:upper:]])

  password@FB85C2F638706D4BE4192391387C2879

The above format gives you lower, upper, digit and special character.

I wish I could do something like this all the time, but there are always some sites that force you to put symbols in your password, or to use both lower and upper case, or to be between 6 and 8 characters long, or whatever weird requirement they thought would be a good idea.

And since I can't (and don't want to) remember which sites enforce which restriction, I end up having to resort to writing my passwords in a text file.

https://www.pwdhash.com is a browser extension that does exactly this automatically.

Oh and hash functions won't output symbols or banned chars. They output numbers and you can choose to represent those numbers in whatever mad way that you want, typically as hex, ie. letters and digits.

The length might be a problem but there's nothing to stop you truncating the hash.

Be careful when using PwdHash.

The used hashing mechanism is quite weak. If you don't have a long high-entropy master password, it should be feasible for a site-owner to brute-force your master-password based on the site-specific password.

Yes, but then I have to remember for which sites did I truncate the hash, for which I converted the hash to hexadecimal, etc.

Le mieux est l'ennemi du bien. -- The perfect is the enemy of the good. (Volataire)

What product is going to solve every corner case you can throw at it?

FWIW my example string contained symbols, upper, lower and digits:

password@FB85C2F638706D4BE4192391387C2879