Passwords are hashed using MD5 in cookies, and are never presented in plaintext via any user interface, frontend or backend. Unless the user has filesystem access to your server, or access to each victim's email account, there is no way to obtain user passwords.
There are still ways to obtain passwords, but they all rely upon the victim doing something wrong, such as using a weak password, or using the same password for multiple sites, one of which the malicious user has has compromised or runs.