[bigiain]

I'd guess that's the standard Wordpress account reg email - Wordpress _does_ email you a cleartext password, but it does also hash the password and only stores the hash.

I think it's a reasonable tradeoff - those of us with properly managed password storage can delete the email, but the 99% who _don't_ use some form of password safe can keep using their email archive as their place to look up passwords they've forgotten. (I see this a _lot_ in our clients non-technical Wordpress site subscribers...)

[izak30]

I know this is "standard wordpress". The problem with this is that your email isn't secure password storage, neither is the delivery of your email. Reset forgotten passwords, don't store or transfer them in plain text. Please.

[bigiain]

You're right. Except most of the world doesn't know it (yet).

_Lots_ of (mainly non-technical) people _do_ use their email archive as their "(not so) secure password storage".

As someone who regularly deals with website owners with non-technical audiences, I see all the time that this decision by the Wordpress devs is almost certainly a sensibly pragmatic choice. Those of us who know and care about password security can deal with it - delete the email when it arrives, if you're particularly paranoid go back and change it (I'm pretty sure Wordpress only does this on signup, not on password changes).

Until my mom uses 1Passwork or KeyPassX or PasswordSafe (or an equivalent), I can easily see why many many Wordpress site owners think this is the right compromise between password security and useability.

[bloggergirl]

Yes, bigiain is right ---- it's standard. I don't keep or store any of your personal information myself... unless you sign up for copy tips, in which case I keep your name and email address (using MailChimp).