Authly Send

Why You Should Never Send Passwords by Email

· 4 min read

It's one of the most common security mistakes in the world: someone needs a password, so you type it into an email and hit send. It feels private — after all, it's going to one person's inbox. But email is one of the least secure ways to share a password, and here's why.

How Email Actually Works (And Why It's Insecure)

Most people think of email as a direct line between sender and recipient. In reality, an email passes through multiple servers and systems:

  1. Your email client sends the message to your email provider's server
  2. Your provider's server looks up the recipient's email provider
  3. The message is transmitted between servers (sometimes through intermediary servers)
  4. The recipient's provider stores the message on their server
  5. The recipient's client downloads the message

At each step, the email may be stored, logged, cached, or backed up. And while TLS encryption protects emails in transit between servers, the emails themselves are typically stored unencrypted at rest on every server they touch.

The Real Risks of Emailing Passwords

Permanent Storage

That password you emailed lives in at least four places: your sent folder, the recipient's inbox, your email provider's servers, and their email provider's servers. Most email providers retain data for years. Even "deleted" emails often remain in backups for months.

Account Compromise

If either your email account or the recipient's is ever compromised, the attacker gets access to every password ever shared via email. Email accounts are frequently targeted — phishing remains the #1 attack vector, and once an attacker is in your inbox, they'll search for keywords like "password," "login," and "credentials."

Forwarding and Exposure

Emails can be forwarded, CC'd, or accidentally sent to the wrong person. Auto-complete in email clients regularly causes people to send sensitive information to the wrong recipient. Unlike a one-time link, there's no way to "unsend" or revoke access to an emailed password.

Compliance Violations

Many regulatory frameworks (HIPAA, GDPR, SOC 2, PCI DSS) explicitly prohibit sharing credentials via unencrypted email. Emailing passwords can put your organization at risk of compliance violations and fines.

What to Do Instead

Use a Self-Destructing Encrypted Link

The simplest alternative: paste the password into Authly Send, get an encrypted one-time link, and send that link via email instead of the password itself. The recipient clicks the link to see the password, and the link immediately self-destructs. Even if the email is later compromised, the link is dead.

Use a Password Manager's Sharing Feature

If both you and the recipient use the same password manager (1Password, Bitwarden, Dashlane), use its built-in sharing feature. The password is encrypted end-to-end and never passes through email.

Share Verbally

For critical credentials, a phone call or in-person exchange leaves no digital trace. It's inconvenient but effective for high-stakes secrets.

But What If I Have No Other Option?

If someone specifically asks you to email them a password (a client, a non-technical family member), send them a one-time link instead and explain why. It's just as easy for them — they click a link instead of reading an email — and infinitely more secure.

You can even send the one-time link via email. The difference is that the email now contains a link that self-destructs, not the password itself. If the email is compromised later, the link is already dead.

The Bottom Line

Email was designed for communication, not for security. Passwords shared via email are stored permanently, backed up repeatedly, and vulnerable to account compromise. The fix is simple: use an encrypted, self-destructing secret link instead. It takes 10 seconds and eliminates the risk entirely.

Ready to share a secret securely?

Zero-knowledge encryption. No signup. Free.

Send a Secret Now
← All articles