[Back] We build systems which are often insecure and where we pass our passwords over channels which can contain sniffing agents, such as for man-in-the-middle ones, and which can discover our password. We also typically use HTTPs as a tunnel, and where we only authenticate one side to the other. The method often used to authenicate Bob the Server to Alice the User is with a digital certificate. So why do we authenicate each side, and password the proof of the password, without actually storing the password?
One method to improve the process is Secure Remote Password protocol (SRP). In this protocol the server does not contain any password-related data, and involves the client providing a proof that it knows the password, without giving away what the password is.