I seem to recall some forums and other websites sending me a temporary computer-generated password initially, which implicitly allows them to validate my email address as part of registration.
That is just about acceptable as I regard the temporary password as 'theirs', and they are responsible for the security of their own registration process. If users wish to have secure access, they simply change that temporary password before using the service for anything they care about.
But I am at a loss to understand why Companies House emailed my pasword at all, doing so served no purpose that I can see, and it was of course my chosen 'permanent' password, not a temporary one.