They literally do, as if you were to inspect the traffic you’d realise that the actual password is never sent to the server
(Also obviously not hashes, but that’d require you to actually read the documentation and understand the subject)