As Dave said, they could and hopefully are using encryption, but I have seen sites that store passwords in plain text. They could also generate a new temporary password when you hit the I forgot my password button, that you have to change the first time you login with it. The bottom line is you don't know how they store your password and unless the site is hosted by the same company that you get support from, and they only have a few people it is unlikely that you would be able to ask anyone that would know how it is stored, and even if they did know it is unlikely they would tell you.
I abandoned a site because they insisted on e-mailing me my username and password once a month, whether I asked for it or not. I e-mailed them several times to tell them that this was not good practice, then gave up. – TRiG – 2011-06-20T11:40:01.673
Related to this question - http://superuser.com/questions/46810/should-i-be-concerned-if-my-git-hosting-provider-projectlocker-stores-passwords
– ChrisF – 2009-09-25T16:21:51.6373Encryption is a two-way process where you somehow can decrypt the information given the correct key. Passwords should normally use hashing instead which in theory is a one-way coding where the password results in a specific hash value - which is hard or impossible to reverse. When you then login, your entered password is coded in the same way and compared to the stored coded value and lets you in if they match. In practice you can sometimes reverse the process through various brute-force processes like using rainbow tables... – Oskar Duveborn – 2009-09-25T17:35:20.833
2Whether or not they had it had it encrypted, they sent it in a plan-text email! That website is not serious or clued-in about security in any way. Hopefully you didn't give them a password that you use anywhere else. Right? – DanO – 2009-10-30T22:24:34.877