User credentials are stored in plaintext using weak Base64 encoding, making them easy to extract from logs or intercepted requests.
Passwords are hashed using bcrypt before storage, preventing attackers from recovering the original values even if compromised.