In other words: it's how passwords work on websites. Because it's usually good enough, as the only thing you are protecting is access to the server on the other side, and the pipe to that is already encrypted with TLS.

But this isn't a hard requirement. See Protonmail as a counterexample. And again, wifi authentication. I reckon debit card PINs as well.