ewhac said:
The above article pretty much convinced me that the only way to be (more) secure is to take a handful of easily-remembered passwords and run them through a one-way hashing algorithm, the result of which is the password you submit to the site. This approach has several advantages:
[ul][li]Each password is site-specific. If it gets brute-forced, it is usable nowhere else.[/li]
[li]Nothing is stored. The password you submit to the site is the result of a hashing routine, and the input is something you remember. Thus, if your machine gets compromised or stolen, the attackers gain nothing.[/li]
[li]All processing is local. You're not using a proxy site or cross-site scripting or third-party cookies to store or forward passwords. The whole hashing process runs on your machine and nowhere else.[/li][/ul]
When you say "one-way hashing algorithm", I assume you mean a password key derivation function (such as scrypt, bcrypt or PBKDF2). Just applying a run-of-the-mill hash function to your password barely makes it any harder to guess, since hackers can just as well apply this function to each of their guesses while brute-forcing. Applications such as hashcat are specifically designed to circumvent crappy password hashing schemes (which are extremely common) and are really good at that.
In fact, hash functions are deterministic, and therefore
do not add any entropy to your password, unless the attacker is completely unaware of the hashing scheme used and does not guess it correctly (relying on this is a form of "security through obscurity", which is generally not a good idea). If the attacker knows about (or can guess) the hash function used, guessing
some-hash-function(
some-password) takes just as many attempts as guessing
some-password.
Those key derivation functions I mentioned, however, are a special kind of hash function that are intentionally designed in such a way that they take a lot of time to compute. While they do not increase the number of guesses a hacker has to do, they do make each individual guess take up a lot more time. Additionally, a method called "salting" is employed to prevent hackers from using particular techniques to guess passwords from a large group of users en masse (for instance, after hacking a database). Instead, they have to brute-force each user's password individually.
Proper password hashing is very important when operating a web server, for example, because it can prevent user passwords becoming known after a database breach. Unfortunately, most programmers have no idea about best practices and roll their own password hashing schemes which are trivial to circumvent.
The same seems to hold for that PasswordMaker tool you mentioned. Judging from their FAQ, the creators are completely unaware of the problems I mentioned before. Furthermore, they also seem to only have a slight understanding of some aspects of cryptography but apply them in a completely wrong manner, resulting in a terribly insecure product. It might still be effective if hackers don't bother to adjust their brute-force routines specifically for this, but if they would (which may be the case if this tool becomes more widely used) they can easily circumvent it. I would definitely recommend
not to use PasswordMaker.
I made up my own "algorythm" to form passwords, but there is always a lot of "now for something random" in them to make it irregular... At least I hope it does this 
