as far as storing passwords they seem to be encrypted against the site information so the encrypted pass is different every time
as for client -> server password, its just the same no encrytion its all sent as clear text and anybody with a packet sniffer can find it
