In classical Unixes the passwords
were stored... and then later they were stored in an encrypted (recoverable!) form.
I've intentionally stuck with actually storing passwords in plain text as a clear indicator that the security of my OS is lacking and should not be assumed, though I did previously use SHA256 hashes in the past.
On the note of authentication, this is something POSIX specifically does not cover, so even if you're aiming for standard compliance you're open to do whatever you want. I hide away my authentication process into
a library that has methods to verify credentials and assume an identity, and it gets used by
the login apps as well as
sudo.