Password is always hashed except during login, after registration, after forgot login (if retrieving a new password), or if they change their password during profile update. So in your case you'd act on the onAfterUserRegistration trigger. You'd simply substitute it in with [password]; same for username with [username].