[megous]

If server is compromised, passwords are compromised too regardless if they are hashed or not.

I can selectively deauth a user to make them login again in short order and take his password.

It depends on the level of compromise, of course.

[Tepix]

If it's a short breakin where someone manages to dump the DB it makes a big difference.

Strong hashes are the way to go.

[BenjiWiebe]

Re deauthing. This sort of attack isn't nearly as useful if the server is something like a bank where most users only log in once in a while and don't access the account at all in between.