8249 West 95th Street, Overland Park, KS 66212

Stop Sending Passwords in Email – STOP IT!

I receive complete login information from people several times a week – via EMAIL!  Believe it or not I get usernames, passwords, and admin URLs sent to me for site FTP, WordPress admin access, and even admin login info for ecommerce sites that contain user credit card information!! It’s not just laypeople who send me this sensitive information via email, I even receive it from web design firms and web developers who should know better!

To understand why this is such a bad thing, you need to understand a bit about how email travels across he web.

Email Was Intended To Travel Via Unknown Parties
It’s been this way since the invention of email decades ago.  It was intended to be handled by a bunch of strangers en route to its destination.  Unlike snail-mail that lets you seal an envelope, anyone who touches your email along its route can view the contents with no trouble at all.

Email Encryption Isn’t Automatic
Email encryption is a very uncommon thing. Even TLS email encryption isn’t foolproof.  For example, if you’re on a wireless network, TLS communication is almost always done without encryption.  Snatching emails out of the air on a wireless connection is incredibly easy.  In addition to plain-ol packet sniffing, uber-nerds can pretend to be a gateway on the network and you may think you’re talking SMTP-TLS to your email server, but it’s really going through their computer first.  Think about that next time you’re in a coffee shop and you send / receive emails.

Email Flight
Emails don’t just magically zap from your computer to mine, there are many servers involved in routing your email from your desktop to mine. Though chances are slim, any disgruntled server admin along the route can intercept your email and steal your login information.  You would never know because it would happen in transit and the email would arrive at its destination like nothing happened.  I just ran a tracert to my own mail server and there are 17 hops from my desktop to my email server, and probably just as many from your computer to your email server.  That’s 30+ opportunities for your email to be intercepted.

Mail Spools
Mail spools are unencrypted pools where messages sit on a server waiting for a chance to get sent out on the web.  One little virus or interloper on a mailserver is all it takes to scour all the emails in the spool for login credentials. Receive-spools can be even worse because some email servers receive so many emails so fast that they have to “tarpit” them to allow the server to keep up and not crash.  This means your email could sit in the tarpit for seconds, or minutes depending on server load.  That’s a lot of exposure to potential bad-guys.

End User Machines
Think of all the programs you’ve installed.  Do you always check “custom install” to inspect all the things that are being installed along with your desired program?  Do you install Windows updates regularly?  Do you have antivirus software?  Is your subscription paid and software up to date?  If you answered “no” or “I don’t know” to any of these, or even if you answered “yes” you are still at risk of being spied on.  The end user’s machine is the most likely place for an email to be intercepted, login credentials intercepted, and accounts compromised.

You’re risking more than you know
You aren’t just risking your website.  If you rely on your online business for the income that pays your bills and payroll, you are putting everyone in your organization, or your client’s organization at risk.  By intercepting login credentials a hacker could gain credit card numbers for thousands of your customers.  They could inject code into your website to harvest credit cards as they are entered and “phone them home.”  I’ve also seen a site that was hacked and had a lot of pirated movies and software posted for free download.  The hacker posted links all over the place for the pirated stuff and the site was quickly wiped from the search listings for hosting the pirated software and movies.  It was a major blow to the revenue of the website.  Every time you email login credentials you put your site, your business, your customers and your employees at risk.

How should you share login credentials?
You know that thing on your desk that has a handset you can pick up and talk into and someone will talk back?  Use it!  If you must email your login info, please use a form that a virus can’t read.  Robots and viri can’t sniff the content of an image.  (That’s why Captcha works.)  If you must type up login credentials to email to someone, do it in your email program, take a screenshot of the info with the Windows Snipping Tool (or command+shift+4 for you Mac people), copy and paste the image into the email, delete the actual text you typed from your email and send it on its way.  Someone would have to want your login info really bad to go to enough trouble to intercept it that way.