Yes, the server also knows the "pass" (can be salted hash if you wish, I use hash(pass+name) but it doesn't change the usefulness of this simple auth) and verifies the hash by re-hashing and comparing. Edit: Sad that most people misses the forest for all the trees, should have called pass secr. instead.
Even if you used a pre-hashed (well, preferably key derived using scrypt, argon2, etc) password, the problem is that if an attacker dumped your database they can still login to every account on your system without the original password.
To perform a full challenge response system, you'd need to get some public key crypto going, be that deriving ed25519 keys on the client or going to a full PAKE algorithm like SRP. Anything short of that means your challenge response is going to prove almost as bad as clear text if an attacker steals the secrets.
Sure, if the servers are compromised, they are compromised. So you prefer more complexity in your auth; so that something that should not happen, can happen? Simplicity is important.
Congrats, you have been proposed for this years "Plaintext Password Award", the trophy that every industry professional despises but somehow many still manage to obtain one!
