Using a bookmarklet to store passwords is appealingly simple. Alas, after doing some digging, I couldn’t find any viable options.
The first concern I came across is that it is important to use a hash algorithm that’s slow (e.g. bcrypt or scrypt). Otherwise it’s too easy to brute-force the master password based on a site password. Suppose a site you visit stores your password in plaintext and gets hacked. That breach then compromises your master password, even though only your site-specific password was revealed.
I was not able to find any PwdHash derivative that used bcrypt. I did find a simple command-line tool based on scrypt, but that’s not great if you don’t have easy access to your own computer.
Solutions like PassPack offer the potential to solve these problems (extension rather than bookmarklet, use of strong encryption rather than weak hashing), but have an Achilles heel of their own: the service provider has the power to decrypt all your passwords. For now I’ll stick with my moinmoin-client-crypt approach.
UPDATE 2012-05-19: PassPack does not store your packing key on their servers afterall. (LastPass does not either, nor does Clipperz.) But you still must trust them, as they are in a position to insert backdoors into either the browser add-ons or web-based access they provide. This is less of an issue with ClipperZ, since you can run the Community Edition on your own hardware. Some brief comparisons here and here. Also there is some interesting discussion in the comments of the previously linked PassPack critique. Gabriel Weinberg has LastPass amongst his list of services used at DuckDuckGo. LastPass did possibly have a data breach, but they handled it well. Some more details on PassPack’s packing keys and master keys.