how long have you been a web developer? Because I've been doing it for six years and almost every web app I've ever seen uses http with TLS to send the plaintext password to the backend, where it's popped into a request var at the controller level, then passed as an instance var to the service level, salted, hashed and stored. This includes apps that have to submit themselves for HIPAA compliance because they deal with PHI.