Wow, what a nothingburger. First of all, the passwords are hashed on disk; this is just about their transmission over the network (where they can't be hashed without the hash being password-equivalent). Anyway, the headline is only true if you don't count TLS as encryption, which is absurd. Yes, we'd probably be better off using some sort of PAKE protocol, but SQL Server handles passwords the same way basically every other server of any sort handles them. If this were actually a vulnerability in SQL Server, then you could count on one hand the number of services today that accept passwords but weren't also vulnerable.