Sending Passwords In Email Is A Bad Idea, Unless You Do This

by Steve Yates

The ITS Connection Online Newsletter

Lots of people send passwords or personal data such as social security numbers or driver's license numbers in email. It goes from one person to another, what's the big deal? Well, in many cases, those messages are stored and can sometimes be read!

Why It's So Bad

Let's start with the path of an email message. The email software connects to the mail server. Nowadays most software uses an encrypted connection, but not always. However, after that initial connection, who knows? That mail server may retain a copy of the message. It may or may not use a secure connection to send it on, because the next mail server in the path may not support encryption. There may be multiple mail servers between the sender and recipient.

Spam filters may retain the message, and system admins may have access. Our ITS Mail Guard service redacts "clean" messages but not spam messages, because we're often asked to find quarantined messages. There's no way to know how it is handled on the recipient's end.

Recipients often will not delete that confidential message, leaving it in their Inbox or Deleted Items/Trash folder. If a hacker compromises their computer or email account, they can download your confidential information.

The one exception is initial passwords that require a password change on the first login. The emailed password becomes irrelevant after the change. It's not ideal to send those unencrypted, but there is at least lower risk as long as the new account holder logs in and does not ignore the message.

The Right Way To Send Confidential Data

The best way to send confidential information via email is to use an encryption service. We include ITS Mail Guard's encryption feature in our ITS TeamCare service. One marks the message with a special tag, or the service can automatically detect things like a Social Security number. The recipient must log in to a web site to view the message, which deletes after a few weeks. Thus it does not go through any mail servers on the receiving end, and cannot be stored for later access.

January 2023

Send this article to a friend!
Subscribe to The ITS Connection

Related articles