Thanks MagicalTux for this explanation. It really helps build back the trust, and it seems like you've got a good idea of how things should be secure. I 100% trust your intentions, and theoretical understanding of what should be done from a security standpoint. I don't have enough trust in your followthru or trust you'll have the bandwidth to provide excellent service, but you've got opportunities in the future to earn that too.
Even if the password is cryptographically strong, it doesn't mean that it can't actually allow you to predict his future passwords by the style of it.
For example, I have a specific method to remember passwords without storing it anywhere.
I know that my passwords would never be cracked within a millenium since it is base96+1 (alphanumeric+upper/lower case+symbols+foreign language characters) even in a Class F which is the highest level of cracking possible (1,000,000,000 Passwords/sec) normally possible with supercomputers and distributed cracking.
I know that my passwords are not in dictionaries.
But I am not a computer so I can't memorize random characters, therefore I use some heuristics and mnemonics to remember them.
If you saw my password, you could deduce from my style the rules I set for myself for all the passwords I am using on every single site and the future ones I'll generate.
You might not guess it right away, but you could tailor an attack for me, launching a statistical attack, or just making a password generating algorithm based on what type of rules I set up in my mind for new passwords.
It would considerably narrow down the possible passwords and accelerating considerably the cracking speed with a extremely higher degree of success.
Yes, it is security through obscurity, but this obscurity is in my brain, and as long as you don't have a mind reader the password will remain cryptographically secure.
(for the record, my password wasn't cracked, and I am also cracking it myself to test it out. I got more than 2000+ passwords cracked mine is still holding up pretty well and it should remain that way)
Therefore I totally agree with mewantsbitcoins, telling your password is stupid.
It can be really secure and be impossible to crack with current means, but knowing his mindset it might reveal everything.
There is a *BIG* flaw in your logic, bitsalame. If disclosing just one of your passwords can enable an attacker to tailor attacks against your other passwords, you have to trust *all* the sites that you use that style of passwords to not store plaintext passwords and intentionally be evil. That, in my opinion, is a really risky assumption. Also with your method it's more easily possible to truely forget a password. For these reasons, I think it is less risky to use a password manager to create truely random passwords. (There's risk there too... but I think less risk.)