A server may store the password hashed, but in a password-over-TLS flow the password is received by the server in plaintext. It is only encrypted on the wire (& the network stack).
Look at all the places in a standard authentication flow where the plaintext password is exposed:
- Any TLS-stripping middleboxes on the client's network. (My personal security nightmare is that someone finds a vulnerability in one of those, and hacks them to scrape anything that looks like a password.) BTW, remember when Kazakhstan did this to their entire country?
- Any TLS-terminating load balancer/front-end-server/etc at the server side of the network.
- Potentially between the front-end server and a backend that does the actual authentication, depending on how traffic is passed there.
- Finally, the server that's doing the authentication -- the password will at the very least be exposed in memory there, so anyone who can read its memory (or modify the server code to leak the passwords) can collect passwords in plaintext.
I agree that with the likes of industrial scale MITM (Cloudflare) in the pipe it's not good... but remember Cloudflare also has access to your session tokens, not just your password, so a PAKE might not help without seriously reworking how we do sessions also.
I'm less concerned about corporate level MITM since in those scenarios the MITM already owns the clients. Regardless of protocol, it's a lost cause there.
Look at all the places in a standard authentication flow where the plaintext password is exposed:
- Any TLS-stripping middleboxes on the client's network. (My personal security nightmare is that someone finds a vulnerability in one of those, and hacks them to scrape anything that looks like a password.) BTW, remember when Kazakhstan did this to their entire country?
- Any TLS-terminating load balancer/front-end-server/etc at the server side of the network.
- Potentially between the front-end server and a backend that does the actual authentication, depending on how traffic is passed there.
- Finally, the server that's doing the authentication -- the password will at the very least be exposed in memory there, so anyone who can read its memory (or modify the server code to leak the passwords) can collect passwords in plaintext.