Please can NopCommerce consider following OWASP guidelines for Account and password security out of the box. This will greatly help meet the GDPR regulations. A guide can be found here: https://www.owasp.org/index.php/Authentication_Cheat_Sheet currently it falls down badly on account enumeration and other aspects could be greatly improved.
Also, please consider a third option for password storage to be the hashed password encased in encryption. A good article (as well as contained within the previous link) can be found here: https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
Lastly, although I am not expecting out of the box support, but easy integration would be nice, it would be good if the user enters a password, it is checked against a list of known insecure passwords like this: https://haveibeenpwned.com/Passwords
PS, off topic but a good way to guard against XSS attacks would be to allow Content security policies to be added through the interface (if not already added out the box), see https://www.owasp.org/index.php/Content_Security_Policy. They can easily be generated through fiddler and a CSP plugin (available on GitHub).