Send a password securely

Q: How do I send a password securely via email?

A: You can email a secret link for a single-use webpage that will display a password.

It is a bad idea to send passwords and other confidential information via normal email.

It is unlikely, but possible, for a sensitive email to be intercepted by a bad actor in its journey across the internet. Another risk is that an attacker could break into your email account or the recipient’s email account. If a bad actor were to open your email, they could misuse its contents.

Secure email services can be excellent, but they can also be complicated and require setup in advance. If you just need to send a password, you have other options.

Simple, safe solution for sending passwords

My favorite free service is Password Pusher (www.pwpush.com).

You don’t need to sign up for an account. Using it is easy:

1. Go to https://pwpush.com

2. Enter a password you want to send.

3. Slide the Views slider down from 5 views to 1.

4. Click Push It!

5. Copy the secret link.

6. Paste the secret link into an email and send it.

When the recipient receives the email, they can click the secret link, copy the password, and keep it in a safe place.

The reason you set the views to 1 is so that no one else can get the password using the link. It expires immediately after the recipient opens it. So, if the recipient can open the link, you can be sure no one else has seen the password.

But what if someone intercepts the email before the recipient sees it? The interceptor can get the password using the secret link. That could be a problem if the bad actor knows how to use the password.

You have a couple of options for avoiding the risk of interception, small as it may be.

1. Send the password before you use it to lock up something, such as an encrypted Word document, PDF file or Zip file. Ask the recipient to confirm that they have clicked the secret link and have the password. If a bad actor got to the password first, your recipient won’t be able to open the secret link. You’ll know that you have to create a new password and secret link. After the recipient confirms receipt of the new password, use it to lock what you want to send and then send it.

2. To send an existing password, you can first send a temporary password via a secret link. Once the recipient confirms receipt of the temporary password, you can send a new secret link for the real password, locking the link with the temporary password. Password Pusher has an option to secure a secret link with a password.

This whole process is secure because you set the secret link to allow only one view. If the recipient cannot view a password you sent via Password Pusher, you know that someone else got it first.

Alternative to Password Pusher

An alternative to Password Pusher is One Time Secret (www.onetimesecret.com). It works very much like Password Pusher except that you cannot copy and paste the password shown by the secret link. You need to type it or write it down.

Both services are free. You need to trust that the creators are telling the truth when they assert that they have no access to the passwords you send. Password Pusher publishes their source code allowing experts to confirm that it is secure; however, as Password Pusher, notes you cannot be certain that the server-side code of any website is or does what the website claims.

Neither service collects personal information or asks for an email address. You simply make an entry in a form, click a button, and get an expiring secret link.