Correction: passwords are routinely stored in plain text (or reversably encrypted); there are a variety of challenge-response protocols that you can't run if all you have is the hash. It's a tradeoff; what do you care more about, passwords at rest or passwords in motion?
