When a user *logs in* to an account on your site, their password shouldn't be changed at all. The only time JFBConnect should ever be updating the password in the database for the user is when they are registering an account. After that, it's all in Joomla's (or other 3rd party profile extensions) hands.
As for 'how' JFBConnect generates a password, we pass it through Joomla's own password generation function. The exact code is:
$user['password'] = JUserHelper::hashPassword($this->_newUserPassword);
That hashPassword function uses a salted bcrypt password, which is pretty industry standard now for preventing against multiple attacks and what Joomla does natively.
I hope that helps, but if you're seeing other behavior, please let us know the exact steps to reproduce and what you're seeing. Also, if the password field in the database is being changed somehow during a login, does the password for the user still work, or does the change break it from working?
Thanks,
Alex