I just registered as a new user for an OJS based journal http://ejournals.library.ualberta.ca/in ... complicity
and received a confirmation email containing my password.
1) I do not think that passwords (unless temporary) should ever be emailed to anyone. They could be reset.
2) Ideally, they should not even be stored in the clear. They could stored after a one-way hash. This email is only about 1)
For 1), a simple desktop query on 'password' could reveal all in the clear passwords available, including those in emails. People often re-use passwords, and this makes it easy to find and use other people's account. It is much easier for developers of any system to simply never email passwords. Please update the software to at least not include the password in any confirmation (or other) emails.
PS. I have to manually edit the received email to delete that portion. Not all email clients allow one to do so.