For the simple QPWDLVL 0 system value setting, user profile passwords are stored encrypted in an independent index object named QSYUPTBL in library QSYS. The encryption is basic 56-bit DES. A second password using the LANMAN scheme is stored for access through NetServer for Windows clients. QPWDLVL 1 also uses basic DES but eliminates Windows/NetServer passwords. Passwords at these levels have 1 10-character length limit, are upper-case and have only letters and digits plus characters @, # and $.
QPWDLVL 2 is much higher. Passwords can become “pass phrases” up to 128 characters and can include all characters. QPWDLVL 3 eliminates Windows/NetServer passwords from the system. AFAIK, SHA is used for encryption, but I can’t find a direct reference at the moment.
For the older DES encryption, the algorithm is documented in 5250 Telnet Enhancements, so you should be able to access the QSYUPTBL object and research it. You will, of course, need high authority to access it and MI routines to materialize it.
The system never decrypts passwords. A supplied password is encrypted with the same algorithm and compared against the stored encrypted value.