I don't know if this is the appopriate forum but I will ask any ways.

I forgot a password to a site I use very rarely. When I used the forgot password feature, it e-mailed the password to me.

Now, I am not an expert by any means, but does that mean the password is not stored as a hash in the database?

Usually sites will send a randomly generated password and force you to change it upon login. But this site e-mailed the actual password, which I thought would be impossible to reverse if it were hashed.

Am I being paranoid?

You are correct if it sent you the password in plain text then it's likely not storing it with a one-way hash.

You log-in to the site with your plain password, and the site compares it with the encrypted one.
So one way or two way, encrypted password is there and can be decrypted. No significant difference IMHO.

You log-in to the site with your plain password, and the site compares it with the encrypted one.
So one way or two way, encrypted password is there and can be decrypted. No significant difference IMHO.

The one way hash can not be decrypted, the comparison is done between the two hashes, if the hash of the initial password and the hash of the entered password are the same then it is assumed that the two passwords are the same.

Yes, there is little difference between storing a plain password and an encrypted one, but what is typically done (and should be done) is to only store a hash (preferably salted) of the password. Now there is a big difference, if that site ever has an information leak would you rather someone:

a) Gets a list of usernames and passwords that might be valid on other sites too - a lot of people only use two or three unique passwords.
b) Gets a list of usernames and hashed passwords which can't be used anywhere else as the one way hash prevents them from finding the true password.

Option A might not seem so bad if it is a random attack, but what if it is targeted? One site with a weak security policy would then become a gateway to many others.

Jim