You'd use onAfterUserRegistration for frontend registrations and onAfterNewUser for backend registrations. The [password] substitution should work fine for both but may not be the case if using generated passwords, but if not try directly accessing the user object with [var1_password].