I expect an Internet security company to know better than to email passwords in clear text!
According to the website, with the information provided in the attached email, I can
• View your order status
• Get your shipping tracking number or view the shipping status
• View or print your order invoice
• Get your serial number or unlock code
• Re-download your purchase
• Order a BackUp CD for your download purchase
• Add Extended Download Service (EDS) to your order
• Update your credit card information when your preorder authorization failed.
Please update your processes to address this well documented security risk!
And how do you think a user can read the password if it doesn’t arrive in clear text ?
If a user is not using a SSL/TLS mailserver, than there is nothing avast can do about it.
Sure, it is possible to only send a mail to a address on a secured server.
But the receiver can have set it up that the mail is forwarded to a non-secured one.
The real question is why is a password being sent at all? I have an Avast account with a password that is not the password sent in the email. Why do I need a different password to manage the order when I should be able to do it from my Avast account?
If you order from Amazon, you don’t get an order ID and password with every order.
If you use a site’s forgot password option, the generally accepted secure response is not to provide a new password (or worse the current password) in clear text. Instead, the secure approach is to send a link to change the password (with an expiring token) that also requires the user to provide information not found in the email that authenticates their identity. And yes, I know this approach can be exploited as well but at least it takes a little more effort.
