The way I typically handle it is to.
- store them crypted
- require that the login page be accessed via SSL
- forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.
perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"