I think this could be handled by hashing password client-side (before sending them to WebSocket) using Web Crypto API digest().
Also, bound to this issue: If the password attempt you send contains any non-ascii character, the server will hang and the "invalid password" message won't appear.