because we enforce the use of SSL, passing the raw password or some confidential data on the internet is safe enough. but when the server has been hijacked, there's a chance for them to get the raw password on the server side.
one solution is to hash the raw password on the client side and then pass it to the server. despite the server is hijacked, the hacker may know the hash result of the password, but he is unable to know the raw password.
because we enforce the use of SSL, passing the raw password or some confidential data on the internet is safe enough. but when the server has been hijacked, there's a chance for them to get the raw password on the server side.
one solution is to hash the raw password on the client side and then pass it to the server. despite the server is hijacked, the hacker may know the hash result of the password, but he is unable to know the raw password.