The backup has everything that is stored in the database. It's a bit by bit copy of everything that defines the database. User database would not have passwords. The backup of the master database would have passwords in it. But, they're encrypted. You couldn't just read them out of the backup.
Assuming the passwords are in a table within the database, if you don't take steps to encrypt the passwords or secure your backups, yes in theory someone could steal the backup file, restore it and then subsequently read passwords. Transparent Data Encryption would help to solve that problem as well as column level encryption. Hope that helps!