Conrad Irwin writes,
The point of the password is so you can prove to the
web interface
that you own the email address; so the fact that it is in your email
box doesn't matter much. (If your email gets hacked this is the last
thing you're likely to be worried about after all.) As it says on sign
up "do not use a valuable password".
The problem with a cleartext password in email isn't that your email
might get hacked. It's that each device with access to the network path
from list server to mail server and mail server to email client has
access to the password. Search the net for "password sniffer" for more
information.
In which case so could the password reset emails. It
gains you nothing.
Password reset tokens or URLs are generally designed to be used one
time, and then they expire. The user generally uses it within a few
minutes of initiating the password reset, preventing any later use of it.
On the other hand, sending a user's password through the mail exposes it
to being logged for later use. For a security-conscious user, it
effectively spoils its use forever.
I agree that you shouldn't use a valuable password with Mailman, and
that the Mailman project is the right place to ask for a change in
Mailman's behavior.
Pete