Passwords via Email: Hold the phone

Please don’t send passwords by email. It’s bad.

A single email message often touches more than two dozen different devices between pickup and delivery, which means that any one of them could harvest the data going thru it and use it to gain access to your accounts.

Since other identifying information is always included in emails (the source IP address = your computer, the source email address = yours, and system profile = operating system + email software), it becomes very easy to gain access to more sensitive information through a process of system profiling and association.

For example, a malicious attacker could attempt to exploit your gmail account first since it’s in the ‘From’ address. They would assume you have an AppleID associated with your email address, since it was sent from a Mac. They would try the most popular store sites and CC services – like the Apple AppStore, Amazon,, Overstock, Zappos, eBay, PayPal, Chase, BofA, EA, Steam and so on – most of which use your email address as your user name. They could even attempt remote login to your computer thru network access (your ‘name’ appears in the ‘From’ box, too) and, if successful, could read your browser cache data and documents to gain greater insight into how to best take advantage of you.

While many of these would surely fail simply because either the account may not exist or because even the simplest security is imposed on your end (like a firewall), it is a “numbers game” and eventually one would be exploitable. It only takes one compromised account to cause major pain.

Even the use of “secure” email (via SSL) is susceptible for several reasons. First, communications between mail servers (your server to the recipient’s server) are rarely via SSL, so the message content isn’t really secured to begin with. Further, you have no way of knowing if the recipient is using SSL to communicate with their own mail server, so the message could be compromised between the server and their email client. And of course, either you or the recipient could also have malware on their computer which harvests content from stored email messages.

The bottom line is that email should never be treated as secure. It’s not.*

* Even “the exception” — encrypted mail, such as PGP, is vulnerable to on-disk and key cache attacks, client-side malware and the difficulty of ensuring that both sender and recipient have the necessary access to encrypt and decrypt the messages. Without which, you may as well be sending random zeroes and ones. Don’t get me wrong: PGP is awesome, I’m not knocking it – but it’s far more complex for the typical user (especially someone likely to send a password by email) than simply picking up the phone. And again, you have to be willing to risk that the recipient won’t abuse your trust.

So… Please do not send passwords by email. Better safe than sorry. 🙂

Subscribe To Our Newsletter
Sign up to receive notifications of our new posts.

One thought on “Passwords via Email: Hold the phone

  1. Firefox 19.0 Firefox 19.0 Windows XP Windows XP
    Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0

    Thank you so much for writing this blog post. I have mentioned this to IT people, CEO’s and accountant’s that I work with over and over. They think I am being overly cautious and that their really isn’t any reason to be concerned.
    Of course, many of these same people think that article’s of the dangers online are all blown out of proportion. Sigh!

Leave a Reply

Your email address will not be published. Required fields are marked *