It does not solve phishing at all. Phishers simply won't add secure flag to the input, and will get raw password needed to create hash for every site.

Even if all password inputs were always hashed, phishers could write their own plaintext-stealing imitations in JavaScript.