Altru should not send passwords in plain text via email
Altru sends a patron's password to them in plain text via email. Ideally a temporary password would be created and the patron be forced to change their password with the whole process hardened by a captcha. A concession would be the password is still sent via email and end user is forced to change their password at next login.