> Also, steam should never even see the password, they should only ever see the hash.

Sites/apps will generally handle your plaintext password each time you login or set your password. They (hopefully) just don't store it.