By default passwords are encrypted using 8 passes of MD5. There are other ways to configure the password encryption. (https://codex.wordpress.org/Function_Reference/wp_hash_password)
The hashes are based on custom keys setup in the wp-config file when creating the site.
They are stored locally and not on WordPress.com
You can make users register to leave comments or you can open them up to the public.