There are multiple different formats that can be used to store passwords in the database. They may be saved either in plain text or as the result of a security hash function. You can choose which option should be used via the Password format setting.
By default, passwords are stored using the SHA2 hash format with the additional application of a salt. A salt is a string that is appended to passwords before they are encrypted, which helps protect against dictionary or other types of brute force attacks. It also ensures that every user has a different password hash, even if multiple users have the same password. The GUID of each user is assigned as the salt for the password. If you wish to further increase the length of the salt, you can add the following key to the /configuration/appSettings section of your web.config file:
<add key="CMSPasswordSalt" value="SaltText" />
The value of this key will be added to the salt after the user GUID.
If you change the password format, please keep in mind that this only affects how future passwords will be stored. Existing passwords will remain unchanged. You will need to reset all passwords, so that they are stored in the new format. For this reason, it is recommended to set the appropriate format directly after installation, before you create user accounts or allow users to start registering.