It's more complicated than that. Please see my comments on security elsewhere in the thread. We store a password verifier object -- that's akin to a secure hash, but our authentication model offers better guarantees about protection from man-in-the-middle attacks.