The simple scenario you outline above is about how it usually works. <input type="password">
is by default sent to the server in plain text, which is why login pages should use HTTPS to encrypt that communication. JavaScript has nothing to do with this.
solved How are websites requiring authentication made? [closed]