A couple of organizations I know have web pages that automatically send you an e-mail when you sign up.

The e-mail includes your username and passphrase in plain text.

1) Is sending an e-mail with your passphrase like this always a bad policy?

2) Can I deduce from this that the passphrases stored on their database are not hashed?

3) Is it a sign that they have poor security?

4) Should I change my passphrase, if a similar one has been used on other sites, now that this one has been sent in plain text via email?

Thanks for your help!