It's time for HTML of the future to give us the ability to obfuscate data in-memory. If password fields were stored as obfuscated values, then there would be a very low chance of a password recovery by any person or any exemplary skill. Plus, we wouldn't have to rely upon client-side JS to do hash obfuscation. I suggest a simple extension to the input form element: [ input type='password' obfuscator='sha512;salt=FooFooFoo' ] We would define our own salt, or no salt, to keep the hash consistent (homomorphic) across creation and challenge. This can be done with JS but it doesn't prevent malicious adware JS from exploring the DOM and getting the "value()" property of an input element that is named "password". Pretty please?