My comment is in two parts. First, the govt has no business auditing private companies about how to store credit cards or passwords. There should be no regulations in principle, and security is no exception. Better security has to come from private initiatives.

You say that big companies like don’t innovate enough about security? The internet of today would be still like Gopher of the 1990s, if it was not for its commercial use. And what about the iPhone, and the iPad, which just not long ago were Star Trek tablets science-fiction? And what about Face ID and Touch ID?

Second, about OPAQUE. I wrote a Medium post about it too. If server’s database is compromised, any password can be brute forced, because the server stores the salt. So just try many passwords + salt combinations, until you can decrypt user’s record. That’s why the RFC suggests to use Scrypt. However, the whole point of OPAQUE is to allow relatively weak passwords. (Strong passwords can just form crypto keys directly, and the whole OPAQUE is not needed).

Even without brute forcing the password, such database can be used to simulate a MITM and cause the user to trust the server, which opens the door to Fishing, to collect the cleartext password.