[viraptor]

This is the same as:

    Server sends nonce
    Client sends HMAC(nonce + password + time)

Your inner HMAC becomes the new password which now is stored in plaintext in the DB. You just call it something else.

There are better ways to implement this idea, like SRP/PAKE https://en.m.wikipedia.org/wiki/Secure_Remote_Password_proto...