The passwords are stored as plain text, or at least trivially retrievable.

A migration to hashed passwords isn't as easy as the framework doesn't allow for this. Also, the threat of leaking a Perlmonks password isn't really high, if you don't reuse the password.

Of course, we know it would be better to store the passwords in a hashed manner and to have a nicer "reset my password" user interaction flow, but it hasn't been implemented.