Don't Email Passwords
February 2016 – by Per Christensson
You should never share sensitive information via email. This is for two reasons.
1. By its nature, email is not secure. The email protocols — SMTP, POP3, and IMAP — were not designed for secure communication. While you can enable SSL on your end, there is no guarantee the message will be transmitted securely from the mail server to the recipient. While it is unlikely, it is possible for the information to be captured by a third party during transmission.
2. Emails get shared. It's hard to think of a less secure digital storage area than a person's inbox. People forward and reply to emails all the time. Once your message reaches another user's email account, you have no control where it goes from there. If the information is not encrypted, it can be viewed by anyone who receives it.
This brings us to the tip of the month: don't email passwords!
Emailing passwords is one of the most common security violations I see on the Internet. Contrary to what their name might seem to imply, passwords are not meant to be passed around. Once they get out, it can be difficult or impossible to track who has them. The associated accounts become vulnerable and can easily be compromised. Remember the tip to not share your password?
So how do you give someone a password? If you're in close proximity to the person who needs it, good old fashioned face-to-face communication works pretty well. If an in-person meeting is not possible, you can call the person and give the password over the phone. While phone calls are not 100% secure, they are far more secure than email and don't leave a digital trail.
If you must use email, you can send the username in one email and provide a password hint (which may include part of the password) in another email. If the password hint isn't sufficient, you can save the password in an encrypted document, such as a secure PDF or compressed archive. Of course, the user might need a password to open the encrypted file. So unless you already share a password with the recipient, simply communicating the password over the phone might be the simplest and safest option.