You propose a change that requires every browser to cut a new release, requires the publication of a new standard definining a new input type, and requires browser vendors to agree on a new crypto protocol to run with servers. All involved parties will have to figure out the backwards-compat bits of this. Then everybody who builds webapps will need to be educated about it.
That's expensive. It's very, very expensive. So if you're going to advocate for something like it, advocate for SRP, a well-studied, cryptographically sound construction designed for exactly this problem statement.
"This is a plaintext-equivalent authentication system that is literally faster to crack than the password hashes Gawker already gave up" is not the same thing as "Get off my lawn".
If you had used the word "debatable" I'd have agreed with you, but you said "ludicrous", which tells me you don't understand how password cracking works.
You might not have been aware of this, but DES crypt(3) is not that much different from SHA1(salt, hash). It takes a salt parameter that is adequate to the task of stopping "rainbow table"-style procomputation. It uses your password as the key to the DES cipher, meaning that every password hash is key-scheduled differently --- one of the reasons why continuously re-hashing DES passwords might be slower than SHA1. It is by no means a strong password hash function, but it avoids some (not all) of the most amateurish design mistakes people make with these functions.
I'm a browser implementor and I agree, this proposal doesn't have enough value to be worth doing. Inventing a password field UI that is unforgeable is hard, users will stay used to normal password fields, and it is easy to forge a regular password field using JS. Therefore this proposal won't help with phishing, and that seems to be the only area where it has a hope of helping.
> with some sort of visual, non-spoofable indication by the browser, such as the titlebar blinking green or some such thing
Then I'd put some secure password box 500 pixels above the top of the page to make the titlebar blink green, and then make the input box the user is typing in be a normal one.
Instead make the text box blink green and I'd fake that with javascript. In fact, anything that shows up on the page and you can fake it with images and javascript. Or flash. Or a canvas tag.
Sure, the people who really know what they're doing could view the page source or confirm through other methods that this is the real password box -- but those guys are already using passwords better than "password123". I'm not saying it's impossible, but you have to realize how difficult it is to get the average user to recognize 'this is a real secure password box' versus 'this is a fake one that looks real.'
The stakes for "hard-to-phish login UX" are immensely high: banks are spending tens of millions trying to roll out advanced authentication. It's not like nobody ever thought of "unspoofable login page" before; it's that "unspoofable login page" is the problem statement, not the solution.
