Because the server doesn't store the password, only the "password hash" of the password. So if the server isn't compromised during the login there's no way for the attacker to learn the password itself.