Quite frankly, it scares me when I forget the password to a web-site, throw my email address in a form, and they send it to me. I mean, why would you want to do that? The person doesn't remember their password anyway, so why not assign a new one? How does it help anyone to maintain plain text (or ROT13 (or some other useless encryption method)) passwords? Just allow them the option to change it. That way if you send them the password "8%dlEi=Q" they don't have to live with that, although I would add some functionality to ensure that the password is >= 6 chars and includes >= 2(digits or special chars). Use their email and a hint to allow them to have a new password assigned.