Agreed. It's one thing we look for as part of our own PCI compliance. Passwords in any sort of open text is a no-no.
But seriously, assume they can read your email, PMs, etc. I'm not going to feel violated if 'they' do. It's not my server, application or site.
Just to clarify encryption vs hashing...
Hashing doesn't do anything with the actual data, just makes calculations and produces a result. Encryption still has the original data, and with the appropriate key, you can extract that data.
For example:
If you did a ROT13 "encryption" on the password "greeborules", you'd get:
"terrobehyrf"
Now if you took that "terrobehyrf" and put it through the ROT13 again, you'd get the original "greeborules". The data is still preserved.
If you, instead, create a simple hash of the password, you won't get any discernible data.
For instance, let's make a cheesy little hash function. First let's apply values to each letter of the alphabet. a = 1, b = 2, etc.
greeborules would then become
7 18 5 5 2 15 18 21 12 5 19
Now add all of those numbers together and you get 127.
There is no direct algorithm to take 127 and get "greeborules"; HOWEVER, there is a SLIGHT drawback to hashing. Since hashes don't care about the original data, only the result of the algorithm, there can be multiple ways to get the same hash result. These are called "collisions" and while programmers strive to make every hash result unique, there is
almost always bound to be a collision or two. In the above example, any user's password which happened to equal "127" would be just as authentic as "greeborules" and could be used to login. With the advanced hashes in use today, the odds are quite against you finding a collision, but the possibility still exists.
The biggest concern with hashes today are the folks with no time on their hands that create "rainbow tables", where they punch in every imaginable possible set of data (the entire rainbow) into the hash algorithm and record both the input and result. By posting these tables online, should you happen to have a password listed (or one of those freaky collisions), a hacker could "decipher" your password from the hash in the database.
I hope this didn't go too technical and perhaps gives a better insight to the realm of passwording...
If a website's "forgot my password" link sends you your password in an email, it's not really a good sign. 1) They apparently store your password in some format, or use encryption which means they can access your password whenever (or someone else if they get ahold of the key), and 2) they just sent your password in plaintext over the internet. Bad juju.
Perhaps some others can shed further light on the topic, as I don't know too much about MD5/SHA1, but for now I'm going to bed.