Wouldn't npm client be sending the hashed version of the password rather than the password itself? then the server only has to compare the two hashes.