The GDPR does not have specific rules on passwords. Instead, the GDPR imposes a more general requirement to ensure data protection by implementing “appropriate” technical and organizational measures, “[t]aking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” (c.f. Art 24, 25, 32 GDPR).
As of 2021, the state of the art for password storage is a special password hashing function such as Argon2, bcrypt, or scrypt.
However, the nature and context of processing could reasonably lead to the conclusion that the usual hashed password storage is not appropriate, for example because the ability to find links between user accounts is more important. There is a trade-off between different aspects of security, and the data controller could reasonably arrive at an unusual conclusion. However:
- The data controller would still have to implement appropriate measures to protect these plaintext passwords, for example by storing them in an encrypted manner, keeping unforgeable access logs, and limiting access to plaintext passwords to specially trained staff. Encryption is one of the few things that are explicitly required whenever appropriate. 
- The data controller better have a good analysis that shows that this unusual approach to security is appropriate. Even if not explicitly required, an Art 35 data protection impact assessment could be useful. The data controller has the burden of proof to show that these processing activities are GDPR-compliant. 
So is this data controller breaking the law or doing morally dubious stuff? Not necessarily! It is possible to find a scenario where they are doing the right thing. However, such a scenario is far-fetched and rather unlikely. Without further background, the most likely explanation is that the presented password handling scheme does not comply with GDPR.