How/where are the "internal user" passwords stored?

All information associated with an internal user (normally used for guest user account management) is stored in the PaperCut Database. The passwords are not stored in plain text. Passwords are stored as a one-way hash in line with security best practice - a BCrypt sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

This same security policy applies to the in-built admin password.

The password used for external users (e.g. LDAP or Active Directory) are never stored or cached. All password validation for external users are done with a real-time lookup/query to the external system.