Background
Since version 3.0 DotNetNuke's user membership is built upon (and extended from) Microsofts
MembershipProvider classes that ship with asp.net.
These handle the storage and retrieval of user specific information, as well as the user's passwords. Version 3.0 and above shipped with encrypted passwords set by default, but version 7.1.0 changes to hashed passwords. Users can elects to change the default by editing the following value in web.config
passwordFormat="[Clear|Hashed|Encrypted]"
PasswordFormat values
The PasswordFormat property indicates the format that passwords are stored in. Passwords can be stored in Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval but is less secure, as passwords are easily read if your data source is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure, as passwords are not easily determined if the data source is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.