I think the easiest answer is to simply send a completely new automatically generated password when somebody forgets. I do that now with all of my sites... yeah, I guess it is a bit inconvenient that a user who forgets their password will have to enter some strange random string to get back in, but then they can change it to whatever they want.
There really is no easy answer - somebody who really wants to get a password could get it - even with encryption. Let's not pretend that SHA1 or MD5 are some great walls that keep people out.
I suppose if we wanted to get really serious, we find a way to deploy AES or Skipjack.. or go really nuts with Blowfish. But good luck getting the the correct cipher controls on the client machine.