More and more phishing, and an idea how to fix this!

I see more and more phishing at the Dutch and English Minecraft forums.
I recently saw an user who said he created an "game", I clicked on the link and nothing happened.
Then I look into the Java console for errors and all I saw was my username and password, then I immediately checked the source of the Java applet.
I saw it decrypts the "lastlogin" file and sends the username and password to their own server.
The Java applet never asks permission to read those files, it only asks permission one time to execute, all Java applets asks permission to execute.

I changed my password (and I send a bunch of fake user/pass combinations to their server) and I reported the website to the webhost.

I have an idea how this problem can be solved!

1) Let the launcher save this in the "lastlogin" file:

[[USERNAME]]
[[SHA1 hash of 'username+password+salt']]

2a) And let the launcher login like this:

https_.://login.minecraft.net/?user=[[USERNAME]]&password=[[SHA1 hash of 'username+password+salt']]&version=[[LAUNCHER VERSION]]

2b) The login website handles it like this (pseudocode):

if (get.version == currentversion)
{
____if (userexists(get.user))
____{
________user = fetchUser(get.user);

________if (sha1(user.username+user.password+salt) == get.password)
________{
____________return currentversion+":deprecated:"+user.username+":"+sessionID+":"+user.uid;
________}
____}
____return "Bad login";
}
else
{
____return "Old version";
}

Replace 'salt' everywhere with an random string that is always the same, around 10 characters, it doesn't really matter if other people know the string.
Now you can't decrypt an "lastlogin" file and using an network sniffer doesn't really help either.
Bye, bye phishing!