The real question is why is a password being sent at all? I have an Avast account with a password that is not the password sent in the email. Why do I need a different password to manage the order when I should be able to do it from my Avast account?
If you order from Amazon, you don't get an order ID and password with every order.
If you use a site's forgot password option, the generally accepted secure response is not to provide a new password (or worse the current password) in clear text. Instead, the secure approach is to send a link to change the password (with an expiring token) that also requires the user to provide information not found in the email that authenticates their identity. And yes, I know this approach can be exploited as well but at least it takes a little more effort.