You missed the central part of my argument, so I'll reiterate it here: users don't care about this stuff, and passwords are user-hostile. Google chose to implement this a certain way that works for 99.99% of people.
Now, in the 0.01% case, your counter argument still doesn't hold, in my opinion:
> Do you really want to trade all your stored passwords for the convenience of not having to enter 1 additional password ('my Android backup password')
Yes.
Even strong wifi passwords can be brute-forced within minutes from the curb by anybody with an unmarked van and a measly few GPUs. At this point in the technology race, wifi passwords are really just keeping the honest people out. If you want something stronger, you're going to have to go to machine certificates on each laptop / mobile device.
> once every one or two years when you activate a new or additional device??
Even worse, passwords that aren't used often exit my fingers' memory and are thus lost to time (unless I write them down and store them in my safe deposit box or keepassdroid or whatever, but "hardly anybody" does this, so Google would get phone calls from users every year or two saying "can you give me the password that I'm supposed to be using to keep from giving you my passwords? kthx").
Ah, you're quite right, thanks for making me look this up.
I found some Toms Hardware article that goes into "a few GPUs in a desktop" all the way through "renting 20 machines with GPUs from EC2 for a while for <$20 USD", and it seems like a password that is long (>=12 characters for now), doesn't have dictionary words, and uses more than just [a-zA-Z0-9] will be safe from undedicated adversaries for a number of years (probably the life of whatever router you're using).
Now, in the 0.01% case, your counter argument still doesn't hold, in my opinion:
> Do you really want to trade all your stored passwords for the convenience of not having to enter 1 additional password ('my Android backup password')
Yes.
Even strong wifi passwords can be brute-forced within minutes from the curb by anybody with an unmarked van and a measly few GPUs. At this point in the technology race, wifi passwords are really just keeping the honest people out. If you want something stronger, you're going to have to go to machine certificates on each laptop / mobile device.
> once every one or two years when you activate a new or additional device??
Even worse, passwords that aren't used often exit my fingers' memory and are thus lost to time (unless I write them down and store them in my safe deposit box or keepassdroid or whatever, but "hardly anybody" does this, so Google would get phone calls from users every year or two saying "can you give me the password that I'm supposed to be using to keep from giving you my passwords? kthx").