Encryption means it can be reversed (with the correct key). Hashing means it can't. You never want to encrypt a password.
But yes, they can attempt to brute force a password. Since 1.2 (new users since then or anyone who logged in with a password since them), we use bcrypt which makes this harder/slower, but it's still possible. To be safe, you need to assume that passwords have been compromised.