Short answer: This is extremely dangerous and must be avoided.
There are a few things here that should be changed. First, user passwords must always be hashed. As I said in the comments, bcrypt
is a common and appropriate hashing mechanism.
Secondly, sending credentials back to a user leaves it open for abuse by an attacker - there is never a good reason to send this information back to the user. When a user exercises the forgot password functionality of an application, they should log back in with the new password. This removes your feature of logging the user in with their own encrypted password automatically.