Cybersecurity

Sending a password by email:
why it's dangerous

Every day, billions of passwords transit through email. Yet, sending a password by email remains one of the worst practices in cybersecurity. Here's why — and the simple method to never have to do it again.

Use Seecret.it The alternative
The reality

7 reasons to stop sending your passwords by email

Email was invented in 1971. Neither encryption nor confidentiality were in the specs. Here are 7 concrete reasons why it's the worst channel for sharing a password.

1. The password stays for life

A sent email stays in the sender's mailbox, the recipient's, and on all intermediate servers. The password can be read in 5 or 10 years.

2. Vulnerable to hacking

A compromised email account = all sent and received passwords exposed. Phishing attacks on Gmail, Outlook or pro accounts are common in 2026.

3. Indexed and searchable

Mailboxes are indexed. A simple keyword ("password") is enough to expose dozens of credentials in seconds.

4. Backed up out of your control

iCloud, Google Drive, OneDrive... automatically back up mailboxes. Your passwords end up duplicated on servers whose location and retention you don't control.

5. Intercepted by antispam

Antispam filters scan email content. Your passwords are read by automated systems — and temporarily stored in their logs.

6. Wrong recipient

An unfortunate autocomplete is enough to send a password to the wrong person. And once sent, impossible to recall.

7. Not GDPR-compliant

GDPR requires appropriate technical measures to protect personal data (article 32). Sending a password by plain email may qualify as a measure failure and trigger an obligation to notify in case of incident. See our GDPR guide.

Misconception

What about "encrypted" emails?

You often hear: "Gmail/Outlook use TLS, it's encrypted!". True... but only during transport. Once the email arrives, it's stored in plain text. And between two servers, if one doesn't support TLS, the message transits without any encryption.

Even more advanced solutions (S/MIME, PGP) require configuration effort and good key hygiene that make them impractical for one-off use. For sharing a password with a colleague or contractor, the simplest and safest remains a one-time encrypted link.

The alternative

Seecret.it, in 3 seconds

Instead of writing the password in the email, you write a secure link. The recipient clicks, reads the password once, the link auto-destructs.

Before

From: [email protected]
To: [email protected]
Subject: Admin access

Hi,
Here are the credentials:
Login: admin
Password: UltraSecretPassword2026!

Cheers

Password stored for life, readable by anyone with mailbox access.

After

From: [email protected]
To: [email protected]
Subject: Admin access

Hi,
Here are the credentials:
Login: admin
Password: https://seecret.it/abc#xyz

(link valid 24h, 1 view only)

Link expires after reading. No plaintext password in email.

Create my first secure link
FAQ

Frequently asked questions

It doesn't help. The email stays in the recipient's box, in trash for 30 days minimum, in backups, on intermediate SMTP servers, and in antispam logs. Deletion only hides the message from your own view.

No. SMS is even less secure: no end-to-end encryption, stored in plaintext on phones, vulnerable to SIM-swap. WhatsApp and Signal are better, but their cloud backups are unencrypted.

1) Change the password immediately. 2) Check service access logs. 3) If leak involves personal data, evaluate need to notify authority within 72h. 4) In future, use Seecret.it or equivalent.

Never again plaintext passwords in your emails

Free, no signup. Your colleagues will thank you.

Try Seecret.it free