Just keep in mind that even with a new endpoint, the plaintext password will need to be sent at least once to the server. This is true even if you are implementing OAuth2, and AFAIK there’s no way around it. So HTTPS is the only solution to avoid this.