[fornever]

I'll admit the situation would get slightly better, but all these incremental fixes doesn't deal with the real problem. Which is that authentication is treated no different from any other data. If authentication was treated differently you could quite easily...

1. Distinguish clearly between authenticating to the correct server and entering form data.

2. Not send the actual password to the server but instead use some form of challenge-response.

3. Store the authentication token securely i.e. not as a cookie.

4. Enable other forms of authentication e.g. with keys.

5. Decrease the use of passwords overall (though better password authentication would still be a win).

This would make it much harder to perform a range of attacks from phishing to session hijacking. It would also potentially increase privacy, since you could more easily disable things like tracking. The reason you don't see the improvements you mention is to some extent because the engineers in question would have to reconciliation with the idea that they are the ones responsible. It's much easier to hold the position that its other entities, or users, that don't understand how things work.