When you are using the built-in SIGNL4 custom authentication (email/password pair), your password is stored as hashed value only. We use SHA512 which is the highest encryption option in SHA-2.
Because of our 'mobile first' strategy, password change is currently (Sep 20) only possible through the mobile app. Password change will be available in the web portal soon, too.
We provide a first-time password via email for convenience reasons (hashed storage too!). You can change this password any time later in the mobile app, which is recommended. Sending this first-time password via email is secure and encrypted if your mail server supports secure SMTP (TLS) which is our default way of communicating.