I asked my experts about your question. On the client side we support this. We cannot support digest passwords on the server side. We save passwords in hashed format on the server side. To support digest passwords, the client would either need to send the password in clear text so that the digest can be calculated or the server would have to store the password in clear text, so that the digest password can be calculated. From a security standpoint these are questionable ideas. Either an eavesdropper is picking up the passwords from the traffic or the attacker who breaks the server suddenly has all the passwords in clear text.
You can modify the method VERIFY_USERNAME_TOKEN, but if an upgrade comes along that changes this package, you'll be prompted for a correction import. Then you will either have to skip the upgrade or lose your customization.
-Michael