Never email passwords to your users


You could write volumes about password and security issues on the web. Some issues are highly complex, while others are common sense like “don’t write your password on a sticky note on your monitor”. In fact, if you’re trying to create a good password policy for your application, Thomas Baekdal just wrote an excellent article on how to create secure passwords that users can actually remember. But that’s not what I’m writing about today.

My request is very simple: Never email users their password. Why? In most cases, email is an insecure method of communication. Email can be intercepted. So every time you email a password to your users, there is a chance that the password could be compromised — along with all of the user’s data inside your web application.

This behavior isn’t limited to poorly-made sites. I have seen everything from airline frequent flyer sites to project management applications send an email with the username and password right after creating an account. Even more sites skimp on the “Forgot Password” feature. Instead of generating a new password, they just email you the existing one — further exposing the password to prying eyes.

Fixing this problem is straightforward:

  • Never email users their password, either during initial account creation or subsequent password resets.
  • When a user forgets their password, give them a way to generate a new one. Make this a temporary password that they have to change after logging in. You can even email this if you want, since it’s only valid for one-time use.
  • If you really want users to have a copy of their password so they don’t keep asking for password resets, let them view their initial password or retrieve it later from a secure form on your site. Then they can print this out if they like, without compromising the security of the password. Just don’t email it.

As a final note, if the password features in your software are really difficult or impossible to change, at least have the decency to warn people in advance that you’re going to email them their password. Then they can decide if they want to use a different password or perhaps think a little bit harder about what their old one was.