User permission password showing on response data

I think a user’s password should never be stored anyway, why is there no salt/hash being used?