Remove confusing pending status from password_hashing_spec

The password_hashing_spec was using 'pending unless verifying_fixed?' which caused
confusing output in maintainer mode:
- Before: "1 example, 0 failures, 1 pending" with "(compared using ==)" message
- After: "1 example, 0 failures" - clean output

The spec now uses conditional expectations:
- Training mode: expects password is NOT MD5 hashed (test fails, vulnerability exists)
- Maintainer mode: expects password IS MD5 hashed (test passes, verifies vulnerability)

This addresses the "(compared using ==)" error message that @jasnow reported in issue #486.

Related to #486

spec/vulnerabilities/password_hashing_spec.rb

@@ -6,7 +6,6 @@ feature "improper password hashing" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
   end
 
   scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
@@ -15,7 +14,13 @@ feature "improper password hashing" do
     normal_user.password_confirmation = new_pass
     normal_user.save!
 
-    expect(normal_user.password).not_to eq(Digest::MD5.hexdigest(new_pass))
+    if verifying_fixed?
+      # Training mode: expect BCrypt (not MD5) - test should fail because vulnerability exists
+      expect(normal_user.password).not_to eq(Digest::MD5.hexdigest(new_pass))
+    else
+      # Maintainer mode: expect MD5 to verify vulnerability still exists - test should pass
+      expect(normal_user.password).to eq(Digest::MD5.hexdigest(new_pass))
+    end
   end
 
 end