The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me). I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed. At some sites I only respond to PM's where both sides have good OPSec using GPG on messages. Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members? Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server? I am not asking you to require U2F just allow it for those that are security concerned. With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.
What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything. If you use PGP for important communications and use a unique password, then IMO this addresses the plausible attacks well enough.
The U2F thing is a good idea in principle, but I've long been uneasy about fiddling with the authentication. I don't want to make a mistake which breaks security.