It's only plaintext by default to get up and running as fast as possible, which is why I wrote the extension in the first place. Armin has, on occasion, expressed interest in improving the extension ecosystem but nothing specific yet.

I didn't even manage to change it. Tried all three values for SECURITY_PASSWORD_HASH mentioned in the docs and nothing worked (i.e. still plain text).

This was just a test project of mine so I used the settings like this (in my app.py file):

    SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
    app = Flask(__name__)
    app.config.from_object(__name__)

If you set the password hash type to something other than plaintext you also need to set the `SECURITY_PASSWORD_SALT` configuration option.