[Sir_Substance]

>and it does further protect the users password from being harvested from passive MITM'd SSL like it is on some corporate networks.

It might protect the password if the user is reusing it elsewhere, but it doesn't protect the account the password is securing during the intercepted transmission.

The MITM attacker can just replay the hash.

[nucleardog]

No reason the server can’t provide a nonce for the login to salt the hash.

[Sir_Substance]

Now the server has to store the password in plain text so it can rehash with the new nonce every time.

[withinboredom]

And how would the server know the desalted hash?