The logic behind this system isn't terrible. But as others have pointed out, it still relies solely on a third party. And while it's true that exposing the entire user list would not give an attacker much in the way gaining access, it's still a leak of trackable information. I think a more secure solution would be to model an authentication standard after public/private key encryption. If all browsers would endorse it, the interface would be remarkably simple.
Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.
This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.
Present the end-user with a certificate management dialog when they open a browser for the first time. That would allow them to either browse for an existing certificate or create a new one. After one is created they're given a copy which could be used in any other browser at a later time. From that point on, each time a Web server requires authentication it could be handled behind the scenes. No log on page, no passwords, no user names; only aliases and a push button start. Signing up would become a one click affair, as well. Press the button, and the browser sends the public key to the Web server. A site gets hacked? Big deal, there are no vulnerable hashes -- only public keys. You would never be required to remember anything more than backing up your certificate. Worried about recovery? Do what you would do with SSH. Pop the cert on a thumb drive and hide it. Hell, even create a feature in that management dialog to do it for you.
This of course would require a large standards body and the involvement of every major browser company. But in the end, it would be easier.