The user database is traditionally contained in the /etc/passwd file. Some systems use shadow passwords, and have moved the passwords to /etc/shadow. Sites with many computers that share the accounts use NIS or some other method to store the user database; they might also automatically copy the database from one central location to all other computers.
The user database contains not only the passwords, but also some additional information about the users, such as their real names, home directories, and login shells. This other information needs to be public, so that anyone can read it. Therefore the password is stored encrypted. This does have the drawback that anyone with access to the encrypted password can use various cryptographical methods to guess it, without trying to actually log into the computer. Shadow passwords try to avoid this by moving the password into another file, which only root can read (the password is still stored encrypted). However, installing shadow passwords later onto a system that did not support them can be difficult.
With or without passwords, it is important to make sure that all passwords in a system are good, i.e., not easily guessable. The crack program can be used to crack passwords; any password it can find is by definition not a good one. While crack can be run be intruders, it can also be run by the system adminstrator to avoid bad passwords. Good passwords can also be enforced by the passwd(1) program; this is in fact more effective in CPU cycles, since cracking passwords requires quite a lot of computation.
The user group database is kept in /etc/group; for systems with shadow passwords, there can be a /etc/shadow.group.
root usually can't login via most terminals or the network, only via terminals listed in the /etc/securetty file. This makes it necessary to get physical access to one of these terminals. It is, however, possible to log in via any terminal as any other user, and use the su command to become root.