What if we improve web forms for passwords change in the way described below to avoid password leak due to MITM or application/server side compromise
When user input the password, browser will create a key-pair, protecting the private key with the password, and sends both private and public keys to the server.
When user accessing the page, server encrypts a token with the public key, and send both encrypted token and user's private key to the login page. When user inputs the password in the login form, browser unseals the private key with the password and decrypts the token, then use this token for authentication.
This way user's password never reaches the server, yet allows user authenticate with the password from any endpoint (no need to keep the private key)
There are downsides for this approach, but still interesting to consider. Actually, was this ever considered? This page is just to dump the idea on the paper.
Downside is - the private key can be easily collected and if weak passwords - relatively much easy to brute-force.