Nor is the password, alone, in any form. The nonce is used with the password to create the the MD5 response it expects from the client. It’s why the nonce is provided in the WWW-Authenticate or other forms. There is also the qop option that depending on qop setting the responses and hashes are generated differently.
You understand that PBXes and SIP platforms can have the same user/auth id’s across them. How many have extensions 100, 101 or 1000 or 200, 201, etc, etc, etc. I watch SIP attacks happen every day and they are attempting with those standard types of auth ids. So they are either guessing at the passwords and/or they are hoping for insecurity on the network like not authing INVITEs from users. They don’t need to “snoop” you to get your auth id, they just use something a long the lines of a “dictionary attack” to try all the standard combinations of usernames.
No one needs to be “registered” to make calls as a SIP user, REGISTER just tells the system where you are located and unless they have certain measures in place they’ll auth INVITEs (or not) regardless if there is an “active” registered location.
I run three different ITSP’s networks for their end users and clients. All of them are “hosted” in the regards everything is in the cloud. Making everything TLS as a core security measure has never been a priority or an actual need. Hasn’t been now or in the past decade+.
Basically relying on TLS as your security method for your voice network is like relying on IPv6 so that you don’t have “NAT Issues”.