The plugin installs with a certain set of defaults based on sending users a password when they register. The plugin has a lot of other possible configurations but you must make appropriate changes.
When the plugin is set for moderated registration AND you allow users to set a password at registration, you cannot send the user their password when they are activated. [See Moderating Registration: User Defined Passwords] In this scenario, it is not necessary to send them a password at all since they have already set it. However, if you want to send them a copy of their user credentials, then the password must be sent in the email that goes to the user when they register, not when they are activated. You can change this in the Emails tab.
The reason for this is that the only time a password is available in plain text is when it is created. When a generated password is sent, that password is created when the user is approved. This is why the default email content places the password shortcode in the activation email. When a user creates a password at registration, then the only time that password will be available is at that moment. After that it will be hashed.