This is something I've wanted for around a decade: a polyfillable, pure-HTML standard for making it so that clients compute a hash of the password before sending it to the server. This allows servers to offload resource-heavy key derivation algorithms (like PBKDF2, or scrypt) off to clients (who can then compare the strong derived key using a much more light-weight hash function).
Ideally, it would work something like this:
<input type="password" crypt="bcrypt" work="cost:11" salt="username">
The "crypt" attribute names the algorithm that should be used by the client to hash the password on submission. The "work" attribute defines the work parameters for that function to be configured with. The "salt" attribute defines the ID of an element to derive the salt from. (This could maybe be expanded to allow for multiple fields to derive salts from.)
(Edit: renamed "hash" to "crypt" to avoid resemblance to the unrelated "hash" property on HTMLAnchorElement.)
If a server wishes to use per-user salts, it should first prompt for a username, then send (or generate via AJAX) a second form with a hidden input containing the user's salt. (Requests for non-existent users may either be responded to with an error, or with a fake salt, depending on whether or not the server wishes to disclose user existence.)
Alternatively, clients may elect to use a fixed global salt (a "pepper"), or to eschew salts together, as salts are not as necessary as they once were.
A polyfilling library may check for WebCrypto implementation of an algorithm, and fall back to an (HTTPS loaded) script implementing any algorithm not supported by the client.
Due to the way the DOM event bubbling model works, without a synchronous WebCrypto API, the submit event will need to be cancelled, then re-emitted after the hashing completes.
In the event that a client which does not support Server Relief has scripting disabled (so the relief cannot be polyfilled), their plaintext login attempt, detectable by not matching the syntax of a valid password hash, may be placed into a limited server-side stable of hashing (where a fixed number of requests may be hashed at a time).