For everyone who is designing a website, please never never send a password in the registration confirmation email. I usually like keeping these confirmation emails to keep track of all the websites where I ever registered. However, when a website sends a confirmation email that contains the password along with the userid, I delete that email immediately. What is the need to send me my password in plain text? BTW, this just happened to me with ning.com.
In addition, learn about one-way encryption and never save the plain password. Password should never be “retrieved”. If the user loses his password, he should be able to reenter a new one. Just send a email with a long unique key that no one can guess and when accessed through such url, let the user enter a new password.