Just a side note. Hashing the user, realm, and password to create the shared secret does not provide the same protection the hashing in standard password files. The hash is the shared secret so anyone who retrieves the password database can use the secret to authenticate. They don't need the brute force the plaintext password like the password files.

The advantage is that they don't acquire the plaintext password and can't use it to login into any other services that use the same password.