Files as passwords
We're going in this direction, but basically make the password equivalent to uploading a file. It could be a proper security certificate, but for ease of use it could also be an image file which would be easier to recall for the user, and easier than continually setting up certs. That would make cracking hashes from a stolen database file practically impossible.
Users could then store the key files/images in an encrypted folder locally which means attackers would have to have the folder plus the encryption password for each user.
For additional security a small bit of client-side code could hash the URL (offer unique URLs for login) with the key file and only send the hash - that way the receiving server never sees the actual key-file after the account set up, so spoof sites phishing can't sit and harvest password attempts to use later to compromise accounts.