> Or is there something in the password method itself, that is inherently weak?

You have to send your password/hash. With PKC, your private key never leaves your device. It can even live on a separate security key. All you ever send are signed messages, never your key.