A: You can email a secret link for a single-use webpage that will display a password.
It is a bad idea to send passwords and other confidential information via normal email.
It is highly unlikely, but possible, for a sensitive email to be intercepted by a bad actor in its journey across the Internet. Another risk is that an attacker could break into your email account or the recipient’s email account. If a bad actor were to open your email, they could misuse its contents.
Secure email services can be excellent, but they can also be complicated and require setup in advance. If you just need to send a password, you have other options.
There are simple, safe solutions for sending passwords.
(Note: Back in September 2020, this question came up in “Ask Techie” and was answered here. That approach still works, but I found a better one!)
My favorite free service is Password Pusher.
You don’t need to sign up for an account. Using it is easy:
- Go to https://pwpush.com.
- Enter a password you want to send.
- Slide the “Views” slider down from 5 views to 1.
- Click “Push It!”
- Copy the secret link.
- Paste the secret link into an email and send it.
When the recipient receives the email, he or she can click the secret link, copy the password, and keep it in a safe place.
The reason you set the views to one is so no one else can get the password using the link. It expires immediately after the recipient opens it.
What if someone intercepts the email before the recipient sees it and gets your password using the secret link?
That could be a problem if the bad actor knows how to use the password. You have a couple of options for avoiding that risk.
- Send the password before you use it to lock up something, such as an encrypted Word document, PDF file, or Zip file. Ask the recipient to confirm that he or she has clicked the secret link and has the password. If a bad actor got to the password first, your recipient won’t be able to open the secret link. You’ll know that you need to create a new password and secret link. After the recipient confirms receipt of the new password, use it to lock the file and then send it.
- To send an existing password, you can first send a temporary password via a secret link. Once the recipient confirms receipt of the temporary password, you can send a new secret link for the real password, locking the link with the temporary password. You do this by placing the temporary password in the Passphrase Lockdown field. (I have posted a graphic showing how to use Passphrase Lockdown.)
This whole process is secure because you set the secret link to allow only one view. If the recipient cannot view a password you sent via Password Pusher, you know that someone else got it first.
An alternative to Password Pusher is One Time Secret. It works very much like Password Pusher except that you cannot copy and paste the password shown by the secret link. You need to type it or write it down.
Both services are free. You need to trust that these services are telling the truth when they assert that they have no access to the passwords you send. Password Pusher publishes its source code allowing experts to confirm that it is secure; however, as Password Pusher notes, you cannot be certain that the server-side code of any website is or does what the website claims.
Neither service collects personal information or asks for an email address. You simply make an entry in a form, click a button, and get an expiring secret link.