I can see that WA has read this thread- so my original intent of pointing out what I believe to be a flawed registration process is achieved. If WA chooses not to make a change (to help those who like to be reminded of what their password is)- fine by me. There are many causes I might choose to champion- this isn't one of them. :-)
That aside- continuing on the general topic of registration security- I agree there is no simple answer. It is a rich, complex topic, with trade-offs on security, user-friendliness, & implementation costs/complexity.
At the most basic level, however- I think web developers need to help protect users from themselves. MOST users do not have good password strategies. Even when you use password mgmt software- I've seen users use them in ways that makes them even more vulnerable. If a sniffer were to pick up the email & password of a WA registration confirm- then someone uses that combination at a variety of other common sites, it wouldn't take long before they ultimately gain access to something (like an email account)- and with further sleuthing- use that as access to bank accts, etc.
The most basic security for any registration process, IMHO, would be that the original registration be done via SSL, passwords masked on the page, and passwords never sent in plain text via email. It should never be less than that.
See the latest from the W3C on the topic: