Here’s the scenario: I visit a sparkly new website and create an account. Later I find a welcome email in my box with confirmation of my new account. I don’t really need that but thanks anyway. The unforgivable part is when that email includes my username and password in plain text. Do you think I forgot my password in the 5 minutes it took for the email to arrive? Who thinks this is a good idea? Besides the fax that SMTP is sent in plain text, all of my email is archived in multiple places (online webmail, locally in Outlook PST files, and in my desktop search index.)
It’s fine with me if a user wants to be loose with their passwords and write them on Post-It notes, but please don’t do it for us automatically!