In principle the advantage of this system is that, even if your credentials for one site are leaked, it doesn't leak the password you use on any other site. In theory at least, it could be an incrementally more secure system than we currently have. Unfortunately we already have a lot of companies - big, reputable companies that can afford developers and should know better - doing a pathetically bad job of storing passwords. It's become the norm to hear that company X's database has been hacked and 5 bajillion passwords have been leaked -- and it's a pleasant surprise to hear the company Y's database has been hacked and 0 passwords have been leaked because they were doing their hashing properly. I can readily see them using something like this to hash passwords on the client side and missing out on the tiny detail that the delivered hash has to be hashed again on the server. Ultimately, this is bringing a second sledgehammer to crack the same nut. The only solution will be for us to find a way of securing ourselves online through something other than passwords. It's a shame that efforts like OpenID, Persona etc have yet to get any traction. It'll take a coalition of the big identity providers (@gmail.com, @hotmail.com etc) coming together to integrate something like SSL client certificates or Kerberos, and making it work seamlessly in the browser.