That isn't the point he is making though, there is a non zero probability of an application attack resulting in the decryption of the passwords. The attack vector is now on at least 2 fronts if it stores encrypted/plaintext passwords; the login system and the password reminder system.