Blockchain.info has always been pretty bad but I don't think they were this bad!
The site should be saving the "hash of the password" not the password or encrypted password. Basically how it works is that the user enters their password in their browser, the browser creates the hash of it and sends that hash to the site where it is compared with their stored hash. If it matches it signs in and sends back the encrypted wallet then the user in their browser uses the password to decrypt the wallet using AES.