[b3morales]

If you use the password's hash as a key, the plain text no longer matters, because the hash is now the thing that an attacker needs to forge a credential. So your database is effectively storing the real password, as if you had not used a hash.

[bhandziuk]

I think I see what you're saying but how would that be useful still? Like is an attacker has a hash of the users password they still don't have the server secret.