When I registered as a C2 user earlier this year, I received a verification email containing a link which would complete the registration process. The link was a http collective2 address with an id number on the end. Clicking that link resulted in a "thank you for signing up" http screen which displayed both the email address and full password. The overall web page was "not secure" as far as my browser was concerned. Perhaps the password data was sent securely but there was no particular indication how it was handled.
