They are one-way hashed and thus not decryptable. What is typically done in this situation is 1) everyone has to re-generate a password (not ideal) or 2) begin using the new scheme and continue to accept old passwords for some period of time.
I'm not exactly sure how #2 would be accomplished in Web2py. I am looking into that as well as figuring out how to implement bcrypt since there seems to be a lot of conversation about password security these days (http://news.ycombinator.org/item?id=2716714).
