I'm trying to better understand the situation with sending of passwords. I appreciate that sending them by email is insecure, and so... 1 Rather than sending a password in response to a 'lost password' request, it's more secure for to send a link to set a new one. 2 For similar reasons, the signup (after payment) email doesn't contain an option to include a password. But I'm wondering why the registration (pre-payment) email can contain a password. I'm aware that after payment the password becomes hashed and hence can't be sent, but if security is the reason, then why is it hashed after payment rather than on account creation?