True, but this would imply that the plaintext password would be passed around the application's internal infrastructure. Instead of just going into the frontend server, being hashed and then discarded, it would have to be passed to the email server, probably via some sort of message queue. This means the plaintext passwords would have to reside in some kind of datastore temporarily, possibly for quite some time if there is a backlog of registration emails.
This means you have to encrypt that store, which means you have to decide if you want to force EVERY email sent through the queue to adhere to the same security standards or just registration emails. Then you have to manage the keys for that encryption, and you have to audit it, blah blah blah blah, it quickly adds up to many many man hours of work.
All this just makes the whole thing more insecure, it increases the attack surface, and increases the work needed to secure the system and keep it secure. As it is not really necessary, IMO it shouldn't be done.
This also includes displaying the password back to the user in the browser, the plaintext password should be gone from memory before the templating engine is even invoked. The best way to solve problems is to simply avoid them.
Maybe I'm being unnecessarily paranoid, I like to think of it as a "security mindset" :)
This means you have to encrypt that store, which means you have to decide if you want to force EVERY email sent through the queue to adhere to the same security standards or just registration emails. Then you have to manage the keys for that encryption, and you have to audit it, blah blah blah blah, it quickly adds up to many many man hours of work.
All this just makes the whole thing more insecure, it increases the attack surface, and increases the work needed to secure the system and keep it secure. As it is not really necessary, IMO it shouldn't be done.
This also includes displaying the password back to the user in the browser, the plaintext password should be gone from memory before the templating engine is even invoked. The best way to solve problems is to simply avoid them.
Maybe I'm being unnecessarily paranoid, I like to think of it as a "security mindset" :)