Even while i was working on my auth plugin for the zend framework, i tought it is right that the user db table needs to store the password.
Well, bad luck, i was wrong. I wrestled with the fact that the password is stored in my user domain model. This leads to the fact that everywhere where use the user domain model the code can have access to the password - that sucks in the matter of security.
After a few minutes with a colleague we figured out that a password and even the loginname should be stored and managed by an auth class. Even cooler, when you store this information in a central authentification you can use it everywhere (i mean other projects or modules as well).