User passwords are stored in the database as an unsalted md5 hash. This is almost as insecure as plaintext. Many plaintext passwords could be recovered from these hashes using commonly available lookup tables. The passwords should be stored in some form of secure salted hash - such as with the bcrypt algorithm.