Now the effective password (the secret shared between client and server to authenticate) is the hash. So you actually do still need to store the cleartext of this secret.
This might be fine, one of the built-in mechanisms of HTTP that we essentially never use works this way (Digest authentication) but it's far too late to agree it now (every client would need to agree to do this or else you need a complicated fallback plan) and it doesn't do much for you security-wise.
You could use an asymmetric PAKE and that gets you a few more benefits but again every client has to implement this so the back compatibility story is horrible.
This might be fine, one of the built-in mechanisms of HTTP that we essentially never use works this way (Digest authentication) but it's far too late to agree it now (every client would need to agree to do this or else you need a complicated fallback plan) and it doesn't do much for you security-wise.
You could use an asymmetric PAKE and that gets you a few more benefits but again every client has to implement this so the back compatibility story is horrible.