[tidenly]

Just a note on the amendment at the end: Storing hashes of passwords is the industry standard - but on the server side, not on the client. Even if some other key is derived from the original password, in the end that thing is going to have to be passed as-is for authentication and will need to be stored somewhere.

If you look in your apple keychains, lastpass, browser saved passwords, all of those data are viewable in plaintext on your machine.

Maybe it could be argued the password shouldn't be stored in plaintext on the storage, so it would have to be decrypted during runtime to get the original plaintext password back again. This does add some security, but only takes someone dedicated enough to pull out the decryption source from the application to get around it.