Hervey posts another great entry in his blog that digs into the whole confusing issue about whether clear-text passwords are required for using hashed UsernameTokens.  He hits all the ins and outs.  Ultimately the string you pass to the constructor of the UsernameToken object must match the string returned from the AuthenticateToken method of your UsernameTokenManager class on the server.  If you want to hash the real password with some shared secret, then you have to do the same thing on the client as you do on the server.  Of course then you have to use your own logic to do this and your own way to share the secret which is probably not something you really want to do.

For all the details, see Hervey's post.