Avast renewal confirmation had order password in clear text

[REDACTED]

I expect an Internet security company to know better than to email passwords in clear text! 

According to the website, with the information provided in the attached email, I can
•   View your order status
•   Get your shipping tracking number or view the shipping status
•   View or print your order invoice
•   Get your serial number or unlock code
•   Re-download your purchase
•   Order a BackUp CD for your download purchase
•   Add Extended Download Service (EDS) to your order
•   Update your credit card information when your preorder authorization failed.

Please update your processes to address this well documented security risk!

[Eddy]

Ok, here is your new password encrypted: %*^#$$%##@**
Now it is up to you to decrypt it and we will not tell how we encrypted it

[REDACTED]

Maybe you should spend more time researching the risks of emailing passwords in the clear than working on your comedy routine.  Let me help you start:

https://www.google.com/#q=risks+of+emailing+passwords+in+clear+text

[Eddy]

And how do you think a user can read the password if it doesn't arrive in clear text ?

If a user is not using a SSL/TLS mailserver, than there is nothing avast can do about it.
Sure, it is possible to only send a mail to a address on a secured server.
But the receiver can have set it up that the mail is forwarded to a non-secured one.

[REDACTED]

The real question is why is a password being sent at all?  I have an Avast account with a password that is not the password sent in the email.  Why do I need a different password to manage the order when I should be able to do it from my Avast account?

If you order from Amazon, you don't get an order ID and password with every order.

If you use a site's forgot password option, the generally accepted secure response is not to provide a new password (or worse the current password) in clear text.  Instead, the secure approach is to send a link to change the password (with an expiring token) that also requires the user to provide information not found in the email that authenticates their identity.  And yes, I know this approach can be exploited as well but at least it takes a little more effort.