The DCSki Forums are powered by UBB.threads, one of the most popular commercial message forum packages on the web, and this is a design feature of UBB.threads that is out of my control. However, UBB.threads will only send this information to the official e-mail address used by the account creator. (And I would always encourage people to never re-use a password across web sites!)
Every forum package I've encountered includes similar functionality, particularly in the case of forgotten passwords, where it e-mails the password (or an "activation" link, which is essentially the same thing, and would also allow someone to access your account if they were able to view your e-mail) to the e-mail address on record. I would prefer that UBB.threads not e-mail the plaintext password on account creation -- especially since someone might re-use the same password across multiple sites (even though they should never do that). I looked through the settings of UBB.threads and don't see an option to do this.
There is always a tradeoff between convenience and security, and you have to consider the "worst case" scenario. In the case of the DCSki Forums, if someone were able to access your private e-mail, they could potentially login as you and post a message under your alias -- but that's it. They shouldn't be able to access any private data (because that type of data doesn't exist on DCSki), and if this ever happened, I would encourage someone to contact me right away to initiate an investigation.
I did just modify the registration message to notify people that the password they use will be e-mailed to them as part of the registration confirmation, so they know not to recycle a password used on other sites, and won't be surprised by this. You could also share your concern with the company that makes UBB.threads (
www.ubbcentral.com). But again, this seems to be common with message forum software. It's certainly not behavior I would expect from an on-line banking site.
