If I understood you correctly - there doesn't need to be a tradeoff between wire and storage security.

You could use a oneway hash at the client side as well.

If you don't want to divulge what's the hash in your database, you can add another oneway hash for whatever reaches the server.

The challenge-response can also be based on hashes.