I trust we all agree that storing cleartext passwords in a database and doing a simple string compare is a problem so I won't rehash that bit.
If a login server is compromised then attackers can harvest cleartext passwords. It's the same class of problem with a reduced attack surface.
There is no good reason to transmit a persistent authentication secret as part of authentication. Just don't do it.
I trust we all agree that storing cleartext passwords in a database and doing a simple string compare is a problem so I won't rehash that bit.
If a login server is compromised then attackers can harvest cleartext passwords. It's the same class of problem with a reduced attack surface.
There is no good reason to transmit a persistent authentication secret as part of authentication. Just don't do it.