A password is more than a string of random characters. It is like the fortress to all the personal information we hold dearly: think bank accounts, social media accounts, subscription services, utilities, and even contacts.
Naturally, passwords are highly confidential and not something you share with anyone. Of course, we don’t live in a perfect world. Some situations arise when you need to share a password with someone. One convenient channel for most people is email. But don’t let convenience fool you. Sending passwords in an email comes with serious risks.
Dangers of sending passwords via emails
Here are the main risks:
Potential account takeover
Many people often use the same password across multiple apps. When someone has your password, they can access your emails. Hackers can study your applications and ‘spray’ this password on these services. Or, they can request several passwords reset on your accounts, as many as possible.
The hacker can transfer money from your accounts with your password and email address. Another likely scenario is they can send phishing scams to the contacts in your email and social media.
Email providers can read the emails
Many email applications are unencrypted. The information you share appears in clear text, making it viewable across the different servers. Unfortunately, a skilled cybercriminal could compromise the email client, revealing the passwords of its users’ messages.
Also, deleting emails doesn’t always mean they are permanently gone. So, without encryption, hackers can easily access this data too.
How to send passwords securely via email?
Generally, you need encryption to send passwords via email securely. So, without any security mechanism, it becomes risky. Yet, as previously mentioned, many people share passwords via email for different reasons.
You could attempt this more securely in two ways, depending on the email client.
One method is to find a provider that can encrypt your file with the password in a compressed or zip format.
It would then send this message to the intended recipient. Afterwards, that person will need a password to open or download it. Rather than using email, you could inform them of the code via text, instant messenger, or personally.
The second option, which is the most secure, is through a self-destruction feature. The concept is to keep the message live for a predefined period, like a few minutes, hours, or days, before it automatically deletes itself.
Once you have self-destruction to a message, you can share it using a link that will only show the content to the viewer once. The main benefit here is that you can be sure your password isn't floating around.
Alternatives to sending passwords via email
Here, we look at the alternate methods of sending passwords, from the least to the most secure.
Text messages are a low-tech approach that is not recommended by many experts, even in last-resort scenarios. While convenient, like email, SMS has no encryption. Anyone can view your messages if your phone is stolen or hacked.
Over the phone
Using verbal communication is another way of sharing sensitive information. However, the two parties involved must ensure no one is nearby eavesdropping on the conversation. Also, their phone should not record the calls.
Use a ‘one-time password’
This approach may not work for every service as some may not generally issue OTPs (one-time passwords). However, the idea is that you can share this with the intended recipient rather than the ordinary password.
With the OTP, they can log into your account and reset the password. The key is using a secure channel to share the OTP in the initial stage.
The safest method of sending passwords is using an encrypted password sharing service. It allows the original user to share their password using a link that expires after a set time.
Duckist does exactly that. What’s more, the initial sender of the password does not need to sign up or download anything to use the service. Also, there is self-destruction feature and encryption for each link you create.