Newegg should not be able to determine what his password is. 2-way encryption is less bad than truly storing it in cleartext, but 1-way encryption is the only acceptable way to store a password unless there's some very compelling reason that you need to be able to decrypt it. (eg. I used 2-way encryption to store people's Twitter passwords before OAuth because I needed to be able to tell Twitter their passwords, so 1-way wouldn't work.)
If you can get the cleartext of the password without any information outside of what lives on Newegg's servers, then the password is effectively stored in cleartext.