What I meant was that I own the process for making my own key, including salting, hashing, random-number generation, or any damn other thing I choose. Instead of me just having to c come up with semi-plaintext passwords or passphrases that I can remember, I can just carry around something that can provide me all the keys I could ever want. Perhaps I could keep a backup of this device somewhere in the cloud. Perhaps not.
But with a true distributed, non-predictable password generating system, there is no one crack that can effectively get to all the plaintext passwords. Big benefit there, and keeping something like a dongle in my wallet matches very well with the usual way things of value are already being kept. I'm perfectly happy with taking responsibility for salting, obscuring, and otherwise encrypting my passwords for various sites. In fact, I'd rather do it than have the site owner do it (or not).
The site owner can continue using the password as a check for access, it works the same as before, he's just not responsible for taking something easy for me to do (like remembering some kind of passphrase) and storing that somewhere. Or, in other words, instead of traditional mostly-English passwords each of us will just have our own system of generating rather large impenetrable blobs, which will then be used for authentication. If you crack Gawker the only thing you get of mine is some huge random pile of bytes which I only use for Gawker, not potentially the keys to every other site I use on the internet. I will personally assume responsibility for distributing passwords to tens of thousands of internet sites. This is simple crypto. I do not need to put all of my eggs into one basket, no matter how large, secure, warm, and fuzzy that basket is.
There is nothing (that I'm aware of) stopping you from setting up your own Open ID provider that used the method you described for authentication. The downside of course is that it's Open ID, which means it's pretty much only useful at places you don't need it.
What I meant was that I own the process for making my own key, including salting, hashing, random-number generation, or any damn other thing I choose. Instead of me just having to c come up with semi-plaintext passwords or passphrases that I can remember, I can just carry around something that can provide me all the keys I could ever want. Perhaps I could keep a backup of this device somewhere in the cloud. Perhaps not.
But with a true distributed, non-predictable password generating system, there is no one crack that can effectively get to all the plaintext passwords. Big benefit there, and keeping something like a dongle in my wallet matches very well with the usual way things of value are already being kept. I'm perfectly happy with taking responsibility for salting, obscuring, and otherwise encrypting my passwords for various sites. In fact, I'd rather do it than have the site owner do it (or not).
The site owner can continue using the password as a check for access, it works the same as before, he's just not responsible for taking something easy for me to do (like remembering some kind of passphrase) and storing that somewhere. Or, in other words, instead of traditional mostly-English passwords each of us will just have our own system of generating rather large impenetrable blobs, which will then be used for authentication. If you crack Gawker the only thing you get of mine is some huge random pile of bytes which I only use for Gawker, not potentially the keys to every other site I use on the internet. I will personally assume responsibility for distributing passwords to tens of thousands of internet sites. This is simple crypto. I do not need to put all of my eggs into one basket, no matter how large, secure, warm, and fuzzy that basket is.