Or, and here's a startling thought (unless you've been paying attention to security research in the last decade or two)
Don't bolt password authentication into every single individual application.
There's no reason (other than laziness on the part of MoinMoin's developers) why it cares about passwords at all, either in the general case or in the specific case of this Debian wiki. We're not talking about a missile launch system, or even a financial institution, it's just a wiki, password authentication was used because it's the "easy" way out if you don't actually care about security.
Every time we sell a hosted version of our main revenue generating service, we walk the partner through the options for how their users can get access to the service. We work really hard to persuade them to pick a single sign-on approach, even if means more work for us, because it's not only a better experience for users, it's a far more secure option for everybody. We don't store any passwords, hashes or password equivalents, the user doesn't end up memorising another password (or more likely, re-using one) and Bad Guys™ can't steal a password because there isn't one.
Yet apparently we're the only ones, since every service _our_ company buys (e.g. video conferencing, travel booking, online training, expense claims) from a big enterprise vendor expects to have its own passwords and its own separate user management, even though that's both wasteful and less secure.