They are not transmitted. At no time does FMP send or receive the Username and password when authenticating a user account.
For internal accounts when someone logs into a FMP database the username and password are hashed on the client. The hash is sent to the FMS. The hash is compared to the hashes in the database and if it is acceptable then the list of groups the account has been assigned to is returned to the Client. The client then compares the file's group list in authentication order against the list returned by the server. The first match allows entry with that set of privileges.
External accounts use the computer's OS to do the authentication and return of the group list.
That's exactly what I needed. Thanks for the answer!