I see custom authentication service as an option for this. In your authentication service, you can explicitly verify the password as far as authentication is concerned, and you can also perform the custom encryption you want and save it somewhere in the system.
If you are using Pega OOTB authentication, you can create custom authentication service and in the authentication activity, you can try using pxSamePassword utility API to verify the user entered password with the password present on Operator record. If you are using SAML, I don't see a way to capture user entered password in plain text. I will let others to comment on that.