With an average of 5 important sites and 50 less important site per person, it requires people to *remember* 55 totally different 20 character passwords.
If you could be assured of client-side salted-JS-hashing of the password prior to submitting it to the server, then you could in principal use the same password everywhere. This used to be the norm, but SSL made it easier first to store plains, and for (as the security concerns of break-ins became apparent) to store server-generated hashes. Yet many, perhaps most, services don't do their job correctly on the server-side. If it were still done client-side, a savvy user could make sure hashing were done correctly, and salted appropriately.
The world needs to forget passwords as remote identification and move on to client certificates. Preferably, a separate client certificate for each site. It takes only a small browser plug in to make it easy.
Ideally yes we'd all use unique certs for everything, but then we'd be tied to our particular browsers. You could make this work with a well-implemented browser sync agent, but what about users of pathetic platforms that don't support trustworthy browsers (iPhone, Nokia)? -Cathal