Thanks. I know sending passwords via email is insecure, but it's also very convenient for users. Considering what sort of application Q2A is, there's not really all that much motivation for someone to steal someone else's account. But I guess the concern is more that people share passwords across multiple services. So I think you're right and will remove the password from the welcome emails. They can still be sent when someone resets their password, but in that case it will be a randomly-generated one, so it will not be shared with any other services.
As for password hashing, the problem is using something that is available commonly across all versions of PHP and all systems. Unfortunately as far as I can tell this is not the case for bcrypt. I am open to other suggestions, though this would be a quite a delicate change, since Q2A would still need to support the old hashing scheme, and then migrate accounts across to the new hashing scheme after users log in for the first time. So suitable for a major release only.