Passwords are stored in an unsalted
MD5 Hash. The notification from the user signup presents the password the user had just set, prior to it entering the database (again, as an unsalted MD5 hash).
So basically:
1. User Registers
2. EMail is dispatched with the password they just entered into the registration page.
3. Password is MD5 encoded and inserted into the database
4. User clicks activation link to validate their email
Feel free to fire up PHPMyAdmin on your server and browse the _USERS table, all you'll see in the "PASSWORD" cell is an MD5 string (with the exception of the "guest" user, whos password is an invalid [not MD5 encoded] entry, since that user is a placeholder).