It is impossible to store passwords in a one way hash and also email it to a user and show it on a web page at some point in the future. That's the point of a one way hash, it can only be encrypted, not unencrypted. No one should ever be able to see what that original password was -- even people with access to the database.
Lots of peope use the same passwords for multiple sites. If I have access to your WP password and username and other sites you visit, I could hack those too!
I haven't looked at WP's code, but if the blog is accurate, then those passwords must be at best two-way encrypted.
The blog is not accurate. They only send you your password the first time, when you create it. They store a hash, all you can do afterwards is reset it.
Makes me feel a bit better about WP. They are still storing the passwords temporarily in 2-way, so it's less of a hacking risk for the new account, though potentially a hacking opportunity for other websites used by the same user.
I still can't say I approve of their implementation though. What if someone is looking over your shoulder when you click the link to see your new account has been created and your password is right there for someone watching?
Lots of peope use the same passwords for multiple sites. If I have access to your WP password and username and other sites you visit, I could hack those too!
I haven't looked at WP's code, but if the blog is accurate, then those passwords must be at best two-way encrypted.