[megous]

I've had similar ideas, too. But I just ended up using randomly generated email address and password per website, which does two things for me: resistance against password resets (noone knows what email to put into a password reset form) and credential stuffing.

Author's solution adds some auth re-play protection, compared to what I use. But that's very little additional protection against threats that would be hardly a problem in practice for me. I just use TLS to protect the auth interaction (so who's going to capture the credentials?).

Most importantly, passwords actually work almost everywhere.