Don't send user&pwd in email?

By njcsamuels ·
I always am disturbed by seeing requests or hearing when users want to send a username and password via email. After trying to find research on this topic, I'm starting to question whether or not I'm being too paranoid. So I wanted to ask the community how they feel about this topic. I believe people should not send usernames and password in email at all. In my mind, its always best to make the phone call...leave a vm if needed. This prevents unknown persons from sniffing the network traffic and finding their password. But then again, I'd bet the business folk would argue, "what's the data you are trying to protect?"

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Request for Clarification

by robo_dev In reply to Clarifications

However, if the system forces the user to change the password at the first login, then that information is not very valuable for very long.

There is a an awful lot of "it depends" to this.

If the email system is within a private network, the risk is not as great, obviously.

Not a best practice, to be sure, but you need to determine the risk based on both the likleyhood of password compromise, as well as the value of what is being protected.

I would not expect a bank to email me a new password over unencrypted email, but if a system admin emails me a password for an internal Unix server over the internal company email system, there is not really a whole lot of risk there....

Collapse -

Well as they say

by OH Smeg Moderator In reply to Don't send user&pwd in em ...

Just because your Paranoid doesn't mean that someone isn't attempting to steal all of the Data.

It's a Bad Practice pure and simple.

The fact that it happens so often is more to do with the Complete Lack of Understanding of most Users and those who setup Systems for those End Users to use.

Here I don't so much mean Computer Systems or Information Systems but those Non Technical People who setup the systems that allow these End Users to Interact with these Computer Systems..

To me sending User Names & Passwords even Encrypted in E Mail is exactly the same as the person who rings their ISP asking how to setup their E Mail System at home because it's not working and I can not get any E Mail and is told Don't Worry[ we'll E Mail you the details.


Related Discussions

Related Forums