Stop Sending Passwords in Email!

I receive complete login information from people several times a week – via EMAIL!  Believe it or not I get usernames, passwords, and admin URLs sent to me for FTP, WordPress admin access, and even admin login info for ecommerce sites that contain user credit card information!! It’s not just laypeople who send me this sensitive information via email, I even receive it from web design firms and web developers who should know better!

To understand why this is such a bad thing, you need to understand a bit about how email travels across the web.

Email Was Intended To Travel Via Unknown Parties
It’s been this way since the invention of email decades ago.  It was intended to be handled by a bunch of strangers en route to its destination.  Unlike snail-mail that lets you seal an envelope, anyone who touches your email along its route can view the contents with no trouble at all.

Email Encryption Isn’t Automatic
Email encryption is a very uncommon thing. Even TLS email encryption isn’t foolproof.  For example, if you’re on a wireless network, TLS communication is almost always done without encryption.  Snatching emails out of the air on a wireless connection is incredibly easy.  In addition to plain-ol packet sniffing, uber-nerds can pretend to be a gateway on the network and you may think you’re talking SMTP-TLS to your email server, but it’s really going through their computer first.  Think about that next time you’re in a coffee shop and you send / receive emails.

Email Flight
Emails don’t just magically zap from your computer to mine, there are many servers involved in routing your email from your desktop to mine. Though chances are slim, any disgruntled server admin along the route can intercept your email and steal your login information.  You would never know because it would happen in transit and the email would arrive at its destination like nothing happened.  I just ran a tracert to my own mail server and there are 17 hops from my desktop to my email server, and probably just as many from your computer to your email server.  That’s 30+ opportunities for your email to be intercepted.

Mail Spools
Mail spools are unencrypted pools where messages sit on a server waiting for a chance to get sent out on the web.  One little virus or interloper on a mailserver is all it takes to scour all the emails in the spool for login credentials. Receive-spools can be even worse because some email servers receive so many emails so fast that they have to “tarpit” them to allow the server to keep up and not crash.  This means your email could sit in the tarpit for seconds, or minutes depending on server load.  That’s a lot of exposure to potential bad-guys.

End User Machines
Think of all the programs you’ve installed.  Do you always check “custom install” to inspect all the things that are being installed along with your desired program?  Do you install Windows updates regularly?  Do you have antivirus software?  Is your subscription paid and software up to date?  If you answered “no” or “I don’t know” to any of these, or even if you answered “yes” you are still at risk of being spied on.  The end user’s machine is the most likely place for an email to be intercepted, login credentials intercepted, and accounts compromised.

You’re risking more than you know
You aren’t just risking your website.  If you rely on your online business for the income that pays your bills and payroll, you are putting everyone in your organization, or your client’s organization at risk.  By intercepting login credentials a hacker could gain credit card numbers for thousands of your customers.  They could inject code into your website to harvest credit cards as they are entered and “phone them home.”  I see sites all the time that are hacked to host pirated content or sell counterfeit goods- do you want to be party to hosting pirated content and face the potential wrath of the government?  Not only do you risk a government investigation into your pirating, I’ve seen hackers post links all over the internet to that stolen content. Links that Google sees and then thinks you’re the pirate. Guess how much longer your website will rank?  Every time you email login credentials you put your site, your business, your customers and your employees at risk.

How should you share login credentials?
You know that thing on your desk that has a handset you can pick up and talk into and someone will talk back?  Use it!  If you must email your login info, please use a form that a virus can’t read.  Robots and viri can’t sniff the content of an image.  (That’s why Captcha works.)  If you must type up login credentials to email to someone, do it in your email program, take a screenshot of the info with the Windows Snipping Tool (or command+shift+4 for you Mac people), copy and paste the image into the email, delete the actual text you typed from your email and send it on its way.  Someone would have to want your login info really badly to go to enough trouble to intercept it that way. If you can’t be bothered to do that, at least send login creds in separate emails without labeling them “site” “username” and “password”.

A little common sense and a few extra seconds of effort is really worth it to protect your website, business and livelihood.