database: The password is stored in the database hashed and salted with crypt with two characters removed. The username is stored in plain text as well as their ip address.
Cookies: When the member logs in their username is stored in a cookie in plain text. The password is stored in a separate cookie, which is a crypted, salted, combined with the user's ip address, and then has two characters removed. Both cookies need to be correct. The password one is tied to the user's ip address. If a user logs in on a different computer with a different ip address then the cookie on the first computer will no longer be valid.
I don't see any reason to encrypt a member's username.
Question: When a person registers their username an email is sent which tells them what their username and password is. How do you use email confirmation?
Note: If I manually alter a cookie (you can do this quite easily with the Opera browser) so that the the username is a valid username, but the password is one that is used by someone else the user can still post just fine. I'll need to correct this. If you try to log in with a correct username and someone else's password you won't be logged in. The cookie has to be modified manually in order to do this.