There is. Or, a variety of ways, really. Two major ones:
Option 1: your passphrase as a salt + the ___domain name + bcrypt = password. Lots of detailed schemes exist for this, including ones you can do on a piece of paper with a little math so you don't have to trust your computer. Inventing them seems to be a hobby for crypto people, or something - I've seen many dozens.
Option 2: you use random passwords, and store them behind your passphrase somewhere. Password managers.
At no point does your single, secure password enter anyone else's hands, so you don't need to trust them to hash it. If one is compromised, none of the others are.
Yup, exactly option 1. But browsers need to support this intrinsically and universally. By salting with the ___domain name, you remove phishing.
Password managers (especially in terms of built-in browser support) are generally a one-machine solution. Yes, there are ways to sync them to mobile devices and the cloud and such, but there's a lot to be desired in terms of portability. I currently use 1password, and it works great for me. I set my mother up on it, too, but it's only a 90% solution for her as she's not quite technically proficient enough to ensure it works all the time.
My question was more if there'd be a smart way you could add one more level of indirection such that: 1) individually compromised passwords could be changed and 2) the master password could be changed without affecting every single site.
Ideally neither situation would be necessary, but servers will be compromised.
I'm personally not a fan of 1, and I don't know that it can ever work to complete satisfaction. Two reasons:
1) ___domain names change sometimes. especially with the current trend of weird ending domains, and "www.getx.com" which later becomes 'x.com' when they finally pay the squatters. Or a rebranding, or subdomains, etc. How do you handle changes, without recording them? Proactively you can change your password when such a thing occurs, but that's not a reliable assumption.
2) versioning. If you have to change a password every X time periods, how do you track which version you're on? without a database? you could salt it with the time the last password was created, but what about time zones? different calendar systems (did I set that password in china, or jerusalem, or canada...?)?
All of which leaves you with a database of some kind in some (fairly likely to occur) situations, which means you essentially have a password manager. As you point out, a 90% solution simply isn't good enough.
> Password managers (especially in terms of built-in browser support) are generally a one-machine solution. Yes, there are ways to sync them to mobile devices and the cloud and such, but there's a lot to be desired in terms of portability.
I use LastPass, and it's about as cross-platform as any app can be. You just need to reconcile yourself with the fact that your passwords will be uploaded (encrypted, of course) to a third-party service. It's also a piece of cake to change individual passwords or the master password without affecting anything else. Most importantly, you get the same anti-phishing benefit as option 1 because LastPass won't offer to auto-fill your password if you're on the wrong ___domain. You don't get this benefit if your password manager is outside your browser.
Option 1: your passphrase as a salt + the ___domain name + bcrypt = password. Lots of detailed schemes exist for this, including ones you can do on a piece of paper with a little math so you don't have to trust your computer. Inventing them seems to be a hobby for crypto people, or something - I've seen many dozens.
Option 2: you use random passwords, and store them behind your passphrase somewhere. Password managers.
At no point does your single, secure password enter anyone else's hands, so you don't need to trust them to hash it. If one is compromised, none of the others are.