You are skipping another approach that should be obvious: there are bugs everywhere. I don't actually need to compromise a computer in order to access their cookies (including the httpOnly ones), I just need a browser with a bug that has been published (or not) which allows access to cookies.
Of course there are other approaches, maybe they are just not feasible for you ? GMail uses cookies too, but plain passwords is something you won't find there.
You're arguing just for the sake of argument.
I suspect you're going to have to wait for a long time for that bug, because this is the sort of bug that would break the entire internet. Cookies are sandboxed. If a bug allows a website to read another website's cookies then that's
the mother of all 0days. In a universe where a bug of this magnitude is likely to happen then you might just have browsers accessing your files (along with your wallet.dat), accessing other processes' memory (yes, your encrypted wallet), or even deleting your hard drive.
Here are the alternatives:
1) Sending the password encrypted to the browser. That would accomplish nothing since there's still a 1-to-1 relationship of encrypted to cleartext.
2) A static session ID. Again, if someone got a hold of your session ID they would be able to access your account.
3) A dynamic session ID that changes on every request. Would make it a bit harder but the end result is the same.
Since the password is dynamically generated and I don't allow you to change it, it acts as a unique ID. This is not Gmail, this is not a banking website. It's a game with loginless "accounts".