A couple of organizations I know have web pages that automatically send you an e-mail when you sign up.
The e-mail includes your username and passphrase in plain text.
1) Is sending an e-mail with your passphrase like this always a bad policy?
2) Can I deduce from this that the passphrases stored on their database are not hashed?
3) Is it a sign that they have poor security?
4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?
Thanks for your help!