[bigiain]

You're right. Except most of the world doesn't know it (yet).

_Lots_ of (mainly non-technical) people _do_ use their email archive as their "(not so) secure password storage".

As someone who regularly deals with website owners with non-technical audiences, I see all the time that this decision by the Wordpress devs is almost certainly a sensibly pragmatic choice. Those of us who know and care about password security can deal with it - delete the email when it arrives, if you're particularly paranoid go back and change it (I'm pretty sure Wordpress only does this on signup, not on password changes).

Until my mom uses 1Passwork or KeyPassX or PasswordSafe (or an equivalent), I can easily see why many many Wordpress site owners think this is the right compromise between password security and useability.