Attach a client-bound code to the login screen (phishing protection)
Pleroma should generate a client-bound code (probably as a cookie) made of 4 emoji or so. This code should be attached to the login screen with some help text on it saying that if it's not the same as you're used to, you're in a phishing page.
This doesn't do anything to prevent a hacked server from getting your password in plaintext, but it at least should help with phishing pages. It's also easily defeated by clearing cookies on browser exit (private browsing etc). However, I don't believe these issues should be used as an excuse to prevent adoption of client-bound codes - the main thing we're trying to protect against here is phishing through phishing pages, and this proposal does accomplish that goal.