Hashing could happen client-side, but there’s not much of a difference. If you’re using HTTPS, then all traffic to the server is end-to-end encrypted anyway.

At some point you have to trust the website that you’re connecting to, but obviously don’t re-use passwords, use a password manager, etc etc

Recently I have been using river. It’s extremely easy to configure via a shell script, and it’s very fast and stable. It’s another dwm clone