If you have a public key associated with your email address on a public keyserver, they could encrypt your password—using said key—when you set it, and then store only the encrypted copy. Then, even though they were holding it, the only person who could do anything with it is you :)
The standard, minimal approach is to keep secure hash of each password and throw away the password itself. This has the same effect but doesn't require the average, unsophisticated user to have a public keep.
But that's just the bare minimum approach - from there, you add a "salt" and other things. Done well enough, you should have a system where downloading your entire system shouldn't compromise your users passwords. But that's only if this is done really well - the write-up for how hbgarey got hacked actually is a great intro to this kind of thing.
My point was that you can retain the ability to email the user their own password with no loss of security (provided the user has a public key—like, say, Github or Heroku require, as they use passwordless ssh for repository synchronization.) My point was not that keeping someone's password around, is any better an idea than just allowing them to reset it :)
