CRAM-MD5 and DIGEST-MD5 are terrible for exactly this reason; a similar argument is part of the reason nobody uses HTTP digest auth. Mitigating this vulnerability is part of the motivation for SRP, which is computationally hard to brute force and non-reversable.