Passwords are stored locally and authentication is checked locally and not on the server. In a few days, we are going to store the password on Salesforce(encrypted) so the same auth process will be done on servers.