If a device has a screen, and another device has a camera, it should be trivial to login using a QR code between the two.
This avoids the use of passwords, and could even allow passwords to be disabled completely! You can’t breach/leak something that doesn’t exist!
(Alternatively, client-cert-wrapped public key authentication, similar to SSH, would also be nice. This way, the key is derived client-side and no password or private key or other secret is ever sent to the server. It’s also 100% MITM proof, unlike the QR codes. Might be a while until HTTPS clients start adding support for this, tho…)