The password is probably encrypted, but reversibly so. That's still a potential security hole, but an attacker would need both the database (with its encrypted passwords) and the key.
Yes, that is correct. But we probably shouldn't email the password to the user. Just let them change it. Might consider a one-way hash instead of a two-way one though.