As of XNAT 1.5.3, all passwords are encrypted using SHA-2 before they are stored in the database. However, if you are upgrading from an earlier version of XNAT and using your old database, only passwords that are changed after the upgrade will be SHA-2 encrypted. The others will still be stored in plain-text or obfuscated form. Any attacker that gains access to the database will be able to figure out all unencrypted passwords. This is especially problematic since many users use the same passwords across accounts and an attacker could exploit this to gain access to one of your users' bank account. Attackers should not be able to access the database, but it is best to encrypt passwords to minimize the damage in case they do.
You can encrypt all passwords in the database by installing pgcrypto and executing a simple SQL statement. To install pgcrypto, you must run pgcrypto.sql. It may be located at POSTGRESQL_HOME/contrib/pgcrypto, POSTGRESQL_HOME/share/contrib/pgcrypto, or POSTGRESQL_HOME/share/contrib. Go to the directory containing pgcrypto.sql and execute the following statement where 'database' is the name of your database and 'database_owner' is the database owner: