Because I’m a web developer, there are many times I need someone to send a password to me. I’ve dealt with plenty of hacked sites, so I do my best to keep the password-sending process secure. Unfortunately, nobody ever seems to listen.
Never Send a Password over Email!
It doesn’t matter if the password is to your website, your email, or your bank account. Just don’t do it!
Email is not safe. Because email isn’t encrypted, it can be intercepted at any point during the transition. Let’s say you have a username, a password, and a URL all sent in an email. During transmission that email gets intercepted. You have now just given someone everything they need to access your account. That’s the equivalent of mailing a random stranger the keys to your car along with a post-it note saying where to find your vehicle!
How Do I Send a Password Securely?
There are a number a ways to do this, but they may take a little more effort than just copying and pasting right into your email message.
- Handwritten: Write it down and personally hand the password to the person who needs it.
- Phone call: I know it may be scary, but it they live farther away, you can always call the person and give it over the phone. While a phone call still isn’t completely secure, it’s more secure than email.
- Combination method: Mix and match. Text someone just the password. Then send the URL over email. Then call them with the username. The only thing to remember is that you may want to add a deciphering code to your email. Depending on the font selected for a person’s phone, the capital I, lowercase l, number 1, and pipe (|) may all look alike. You really don’t want to have the other person lock themselves out because they didn’t know the I was really an L.
Is There Another Way to Send a Password?
The last approach to sending a password is a free, online service called One Time Secret.
This service allows you to enter in your secret content and then give the content a passphrase. You can then create a link and email that link to someone else. When they open their email and visit the link, they will have to enter the passphrase (which you will tell them beforehand) to access the content. Once they open the “secret” they can copy and paste the password for future use. As soon as they leave that page, the content will be gone—forever.
This is good because if someone else gets access to the password before the intended recipient, hopefully they will contact you letting you know that they can’t get the password. Then you know it’s time to change that password. Also, the “secret” expires after 7 days, so the password is time-sensitive as well.
Finally, if you don’t like the idea of using a service on another server to handle your sending of passwords, you can always grab the open source code from GitHub and install on your own server.
All in all, emailing passwords is a bad idea, and with other methods available to send a password securely, it’s time to step up your own personal security.