Security and flow
On Log In
You fill your password or posting wif on Steem Connect login form.
If you filled a password it’s converted to posting wif in browser side.
The posting wif is encrypted with csrf token on browser.
A request is sent to the server with the encrypted posting wif.
Server decrypt the posting wif then encrypt it with a server secret salt and create a cookie which is saved in user browser.

I thought that meant it's not saving the password directly? I will gladly correct the post. Please elaborate. Thank you.