If a "forgot your password?" page emails your old password, is that definitive proof that they have stored it in plain text?

Solution 1:

They might be using encryption when the password is stored in the DB but they shouldn't be storing it in a retrievable format at all, encrypted or otherwise.

They should be taking a one-way hash of the password (plus a salt). This means they can check the password you enter now matches the one you gave before but they (or some cracker with access to their DB) cannot find out what it is. Encrypting the password means a cracker would have to find the DB and the encryption key, but since the key must be on the server serving the website this is hardly inconceivable.

So if they can send you your password this means they are not following well known security best practices.

Bad practice like this is a good reason for using a different password for every website you register at.

Solution 2:

Even if it is encrypted and secure, that e-mail was in no way secure.

One thing you do know, by using e-mail, your password is now almost
certainly stored in plain text at many other locations:

• On their mail server
• On your e-mail provider's server
• In your computer's browser or e-mail storage directories
• On the hard drive/logs of anyone who might have been "listening in" along the way
• ...and quite possibly at any Internet hop between you and that site.

Solution 3:

As Dave said, they could and hopefully are using encryption, but I have seen sites that store passwords in plain text. They could also generate a new temporary password when you hit the I forgot my password button, that you have to change the first time you login with it. The bottom line is you don't know how they store your password and unless the site is hosted by the same company that you get support from, and they only have a few people it is unlikely that you would be able to ask anyone that would know how it is stored, and even if they did know it is unlikely they would tell you.