Re: We need a browser extension...
"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."
Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.