If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner.

If the site tells you what your password was, that means the site is storing your password rather than just a hash of it. This means that anyone who gains access to the site’s password database has access to all the passwords. If the site sends you a temporary password, there is a good chance it is not storing actual passwords, which is the correct approach from a security perspective.