Sending Passwords via Email — Why it’s a Bad Idea, and What to Do Instead



We constantly need to login to software and services. Whether it’s your workstation, laptop, phone, social network, or software at work, we need access to dozens of passwords. In fact, research suggests the average person has between 25 and 35 unique logins they need to remember. If you’re not using a password manager, that can be a real problem. It’s no wonder that nearly 40% of people forget a password at least once a week.


The problem is that when those passwords do get forgotten, people often get new passwords via email.


Whether it’s coming from your IT department, an online service, a colleague, or somewhere else, sending and receiving passwords via email is a very bad idea. We worked with the fantastic people at 1Password to find out why.


Here’s the SaneBox Scoop on why you shouldn’t share passwords via email, and what to do instead.


Why sending and receiving passwords via email is a bad idea


You might be wondering why it’s a bad idea to share passwords via email and the answer is a very simple one — security.


Emails are often sent in “clear” or “plain” text. That means the content of the email is unencrypted. If the email is intercepted, it’s trivial to extract your password from it.


Your email is often stored in several systems or servers on its way to you. It will be saved in the sent email of the account it comes from, your own email server, and possibly any other systems or servers it passes through.


If any one of those systems is compromised, it can reveal your password to hackers.


Your email is also often stored locally on your laptop or workstation in plain text. If that were to get into the wrong hands, criminals would have access to your passwords.


Even deleting emails doesn’t necessarily mean they are gone forever. They can hang around in trash folders or elsewhere.


If the password for your email account is hacked, bad actors can get access to all the passwords that are emailed to you, simply by requesting password resets.


What to do if you’re sent a password by email


If you do get a password by email, there are ways you can minimize risk.


Change your password immediately — as soon as you have logged in with the new password, change it. That way even if hackers can get to your old password via email, it won’t work.

Use a password manager to create a unique, hard-to-guess password — password managers are a great way to create ones that are hard to crack. You only need to remember a master password and the the software fills in all the details for you. We recommend the rather excellent 1Password.

Enable two-factor or multifactor authentication — these are technologies that give you an additional layer of security. For example, you might get a text message on your phone when you try to login or you could have a security token or smartphone app. Without access to that information, hackers can’t compromise your information and logins.

Alternatives to sending or receiving a password via email


Here are some other ways to give users new password information while minimizing security risks.


Over the phone — do all password resets via a telephone conversation.

SMS or text message — send out new passwords directly to a user’s mobile phone.

Use a “one-time password” — this type of password simply allows a user to log into your system where they are then forced to choose a new, secure password.

Use encryption to add a cipher to emails — services like Pretty Good Privacy and Safe Gmail.

Use a password manager to securely share passwords with others.


Just a few simple steps can protect your identity, privacy, and information from criminals, hackers, and other bad actors. Now, you’ve got no excuse to ever send a password in an email again! Your security will thank you for it.