It's definitely possible that they're storing the passwords using reversible encryption. However:
1) In my experience, it's often harder to set your app up to use reversible encryption instead of hashes, especially if you're using an existing authentication library. In a case like this, I would assume the path of least resistance is more likely.
2) Storing passwords as reversible encryption is almost as bad, as the person who compromises your security would likely have access to your application code (and therefore the key to decrypt the passwords), and the negligible benefits of being able to retrieve passwords are not usually worth the potential liability.
The key doesn't have to be stored on the server. It can be on a private computer that is not connected to any network at all. Still vulnerable, but much less so.
> It can be on a private computer that is not connected to any network at all.
So you're saying the support tech gets up from his desk, walks over to the computer with the key, gives the computer some command to produce the key, prints the key or writes it down on a piece of paper, walks back to his computer, types in the key, and finally shreds the piece of paper?
Sure, it's also possible that they store the encrypted passwords in a handwritten ledger and decode them when you log in. I was talking about what Newegg is most likely doing in real life.
1) In my experience, it's often harder to set your app up to use reversible encryption instead of hashes, especially if you're using an existing authentication library. In a case like this, I would assume the path of least resistance is more likely.
2) Storing passwords as reversible encryption is almost as bad, as the person who compromises your security would likely have access to your application code (and therefore the key to decrypt the passwords), and the negligible benefits of being able to retrieve passwords are not usually worth the potential liability.