Hunt recommended users try a password manager that creates unique passwords for each site or account, remembers those passwords, and then slaps them into place either automatically or at command.
"If the mousetrap is single-factor passwords, we need a better mousetrap," said Hunt, who argued that two-factor authentication, while suitable for businesses, wasn't going to fly for consumers. "So you need long and random and unique passwords. But you can't do that without a password manager," he said.
LastPass, however, warned customers last month to change their master passwords after reporting what it called a "traffic anomaly" on one of its servers.
Hunt also did additional analysis on the Sony Pictures passwords leaked by LulzSec, and confirmed what earlier research -- including some done last year by Michigan-based Duo Security on the Gawker passwords.
Like Duo, Hunt found that the vast majority of passwords were too short, built on too-few character types, and were not unique enough to stand up to simple dictionary-based attacks.
"The only secure password is one you can't remember," said Hunt.
Sign up for Computerworld eNewsletters.