Thank you for signing up with us. Your new account has been setup and you can now login to our client area using the details below.
Email Address: my.mail@address
To login, visit http://secure.empire-hosting.net
Ah well.. Let's look at the other recommendations of that list, I guess.
But I even think this practice is useless. They just sent my password in cleartext. It sits now in my inbox and I have to delete it or I store my unprotected password. And - for what exactly? Does that serve any purpose? I just entered it a second ago.
So I question the usefulness of that approach and consider this very first contact unprofessional. YMMV and all.
1: Just tried the 'Forgot my password' dance and it they don't retrieve it at least: Received mail with link to site which sends a mail with auto-generated password to log in. A bit weird, but well..
And as you point out with the "forgotten password dance", access to your email account gives an attacker access to your hosting account anyway (although not stealthily).
This was the very first contact. Sending me passwords (same for 'temporary ones' after a reset. I consider that a cumbersome process whereas I consider the initial mail just plain "wrong") delivers more than just the text over this channel.
I read between the lines "Here's your password again from 2 minutes ago. File it away" which again is nothing I consider a good idea. The impression is that they write the digital form of a post-it note of the password for my monitor.
Is it a big issue in itself? Nope, probably not. But it certainly ruined the first impression for me and I'll walk away now. I shared that part because others might (or might not) agree and to potentially save like-minded people a registration.
Password-reset emails are also easy for an attacker to generate, and no harder for them to intercept than the welcome email.
And yes, password-reset emails may also be a concern (not as severe, though, if reset emails are single-use and have short TTL).