I was always (and still am) under the assumption that you are fucked anyway, if either endpoint is compromised.

Sure, you can do a lot to make it less and less comfortable to read a password. But I’m not convinced that it is possible to. Fully prevent it from happening, no matter how hard you try.