You can control the minimum and maximum length of the usernames and password here within the admin tool:

ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > "Username Length"
ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > "Password Length"

These will affect the usernames and passwords accepted in the user edit and registration routines.

You'll see controls like shown in this screenshot:

We don't suggest a lot of changes in this configuration. Think what you want here to begin with and stick with it.

Note that while the system requires a username the email address for an account can also be used as the "username" to login.

You have control of the methods a password is saved in the database using the following settings

ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > Admin Password Storage Method
ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > Client Password Storage Method

The default settings as the software comes to you is that the admin password is "hashed" while the clients passwords are "plain text". Those are also the two different methods available within the software to save the password at the database level. The difference between the two is that the hashed password is encrypted where the plain text password is not at the database level. If you were to look within a specific table in the database you would be able to visually tell what an account's password is by simply looking at it if saved in plain text. You would be able to use the username and the plain text password as you see in the database and login as that user on the client side. But if that password was saved as a hashed password you would not be able to use what you see there to log into the client side.

The password saved for a client is saved in the method chosen at the time that account is created or the password changed. So if the client password method was plain text when their account was created in the system their password will stay in that state until that password is changed by the system (user, admin or system instigated). Once changed the current state of the "client password storage method" would be used at that time. The plain text state of their password would stay within the system no matter the system configuration changes. The clients password save method will be reconsidered each time it's changed.

No matter the encryption method at the database level the password for an account is not exposed in the browser anywhere in the software.

To change the admin users login credentials go to the following admin tool page:

ADMIN TOOLS & SETTINGS > CHANGE PASSWORD

Within the above admin tool you can change the username and password for the admin account only. If you wish to further change any other information attached to the admin account click the Edit Admin's Personal Data link in that page. But note that since the admin should NOT be used to manage this should not be of much use.

You cannot change the admin account details from the client side. This is a protection for the admin account. Admin account details can ONLY be changed in the site admin tool.

The clients password can be changed both within the software's admin tool and within their client side admin tool for that user. For the client to change their own password they would log into the client side using their current login credentials and then go to the My Account Information admin tool and click the edit my info button within that page. They'll see a screen like:

They'll need to insert their password twice to change. And note depending on the configuration you have they may need to insert their current password to allow the change.

The need to insert the current password to change user account details is controlled by the following admin tool control found here:

ADMIN TOOLS & SETTINGS > SECURITY SETTINGS > GENERAL SECURITY SETTINGS > Require pass:  User-Info Edit

and shown in the following screenshot: