Can you point out the mod please.
Please read what I said again. The only time it has ever shown me is IF I SPECIFICALLY MODIFY IT i.e. doing it myself. Go back to the discussions of the attacks at the start of last year, I admitted that I was logging incorrect password attempts on my site specifically to observe what the bots were doing.
I also call BS on this one, actually, because the *vast* majority of passwords that are sent to SMF are in fact hashed by the browser BEFORE they're sent. Most legitimate users only ever send in their password once, to register. (Or twice, unhashed, if you've done a conversion from a system that doesn't use the same hashing method and password hashing has to be done twice.)