Is there a safe way to send passwords via email?

Generally speaking, it’s best to avoid sending passwords via email. Most email is inherently insecure, not encrypted and stored on servers all over the place. So sending passwords via email is asking for trouble.

However, we don’t live in a perfect world, and there are times when you’ll want to send a password to a colleague – for that web app you use in the office, for example, or to access something on your computer. We would strongly recommend sending passwords by SMS text message or – better still – encrypted WhatsApp instead. But if you must send a password via email, here’s a safer way to do it.

Related reading: The business case for WhatsApp: benefits vs risks

Sending passwords via email – the absolute no-nos

The method we’re going to show you below is more secure than most, but far from infallible. Even if you do send a password via our proposed method, make sure you still don’t do any of the following:

• Send the username and password in the same email
• Send a link to the site/service the password is for in the same email
• Use the word “password” in the subject line or body of the email – if a hacker breaks into the system, the first thing they will do is scan for the word “password” to steal logins
• Send highly sensitive passwords in this manner, such as those of bank accounts

Related reading: An IT manager’s guide to passwords

How to send passwords via email in a safe(ish) way

Gmail has a facility called Confidential Mode. This prevents recipients from copying the content of the message, forwarding it to another address or printing it out. It also prevents them from downloading a copy of the message into their email software, such as Outlook – they’ll basically get a link to a secure website to read the message.

You as the sender must choose a time period, after which the message will “self-destruct”, or not be readable thereafter. That period can range from anything between one day and five years!

Optionally, you can also enter the recipient’s phone number and force them to enter a six-digit PIN code sent by Google before they can read the message. This is effectively what’s known as two-factor authentication, where if someone manages to break into the recipient’s email, they will still need access to the recipient’s mobile phone to read the message.

To send an email in Confidential Mode, go to the Gmail website and click the Compose button. Now look for the little padlock and clock symbol that appears at the bottom of the message window. When you click on that, you’ll be presented with options to choose an expiry date and whether or not you want the recipient to be sent an SMS code.

Click Save when you’ve made your choices, type your message as normal (without using the “password” phrase, remember) and then click Send.

The recipient will get a message that looks something like this, asking them to click on a link to read it:

You should warn the recipient in advance of sending or they may delete the message, fearing it to be malicious. It’s good practice not to click on links in unsolicited emails, after all.

The Gmail Confidential Mode is by no means foolproof. Once the recipient opens the email, for example, there’s nothing to stop them from taking a photo of the message on their screen or taking a screenshot, meaning they can keep the content of the message beyond the expiry date – and even do something daft, like keep it in a folder called “passwords” on their desktop or writing it on a Post-It Note pinned to their screen.

But Confidential Mode is definitely more secure than sending passwords via regular plain-text emails.