The Cambridge University Computer Lab has had a crack at this question in their Technical Report 817 on Web authentication: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html Their conclusion is to use the Mozilla password manager (or close analogue, but they like it because it's open source, free, and available). Anyway, it's well worth reading. A question: password managers are obviously a great idea, and password manager + synchronisation takes care of multiple devices. However, if the passwords themselves are poor, this doesn't help. As well as a browser vault, we need a Passwords API to let a Web site request the creation of a password. You will need: a MakePassword() action that creates a random, cryptographically strong password for the specified domain and specified username, with the specified TTL, and registers it in the vault. a same-domain constraint an SSL only constraint a RequestLogin() action, leading to either automatic login or a user dialog as desired a RevokePassword() action, that flushes the existing password and forces the creation of a new one. this can be explicitly invoked, for example after a security incident, or else activated when a TTL runs out. a user interface action that permits the user to invoke Revoke on all or a subset of the passwords. This addresses: making up passwords, not sharing passwords, remembering passwords, revoking compromised passwords. No, it won't help if the evil maid sprays liquid nitrogen into your laptop in suspend mode to render analysis of RAM easier yadda yadda, but nothing will*, and if you face that kind of threat, you're operating in a different league and passwords are the least of your worries. Because you're not using them...are you? Also, if the enemy can defeat SSL they can still phish you, but that's going to be a very hard one to eliminate entirely, whatever happens. (and how many security incidents are like that compared to ones involving password compromises?) Why didn't W3C do this 10 years ago? Kind of amazing, given how common a pattern username/password is, that there is no mention of the word here: http://www.w3.org/TR/ *you can of course encrypt the disk that contains the password vault, but in general, someone with physical access will win. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them