One other way. Websites could hash and salt the users password client side, then proceed as usual (SSL and hash it server side). Means the users password is effectively a long, secure passphrase and is unique. What do you think?