Also the token should be regenerated as well on use, not stored as plaintext token, either. But yeah - the idea to store plaintext password encrypted or hashed is just stupid.