The solution to the problem mentioned above is very simple, as things always are with CakePHP.
The cause of the problem is AuthComponent, which hashes your password. The solution? Simple!
Instead of this:
echo $form->input('User.password', array('value' => ''));
And voila: the password is never sent to the browser. This is a very good thing to do, even if you don't have a "hash issue", because it also improves your security (or privacy) a bit.