This is exactly why you shouldn't use the same password for multiple sites. This is the responsibility of the user. Trying to stop sniffers on the visitor's network is way beyond the responsibilities of the web developer.
Using SSL comes under the realm of the web developer because it is something easily controlled at the web site. You have no control over the security of the user's email setup.
You still have to provide a way for the user to access his account long enough to make changes. Sending it by email is the only automated way to do this that makes economic sense. Many people log into their email accounts every day by sending their password over clear text. Most hosting companies send all of the login information by email.
You still haven't answered the question of how you would do that with an automated system without making the user jump through hoops. You have to be able to prevent unauthorized people from changing their account. If they don't have an initial password, anyone that knew their email account could access it without a password.
When someone creates a new account, they expect an acknowledgment. The likelihood of the guy with the sniffer on your network beating them to the account is low enough to make it a non-issue. I think we are debating perfect world theory vs real world limitations.