Sending Plain Text Passwords in Welcome Emails

We have to log in to apps and services constantly. We need to use a large number of passwords, whether it’s your workstation, laptop, phone, social network, or software at work. In reality, research indicates that the average person has up to 35 unique logins that they need to remember.


When you have signed up with a site, program, or any type of service, many times you are sent a welcome email with your username and password to sign in to your account.

You trust them with your personal information whenever you sign up for a site. At least, they have access to your email address, and perhaps a lot more including your password.

Nearly 50% of the people forget their password and have to request and get new ones through email. If you click on “Forgot Password” and they send it to you via email, it is certainly insecure.

When you send passwords via email in plain text you risk the security of your account. If the email is intercepted by 3rd party, retrieving the password from the email is a trivial thing.

No matter how obscure and unpredictable your password is, it does not matter. It can be read by anyone with access to your account as easily as you read it.

How to proceed?

Sending passwords over plain text email is extremely dangerous and Fortknoxster highly advises against this practice.

Your email is also held on its way to you on many systems or servers. It will be stored in the email sent from the account it comes from, your own email server, and also any other systems or servers.

A hash function is used by several sites, which converts the password into a set of digits. They only see these randomized characters if a hacker gets in. However, it’s a faulty algorithm, since it produces the same hash each time you enter your password.

Also, your email is mostly saved in plain text locally on your desktop or workstation. If it were to get into the wrong hands, the passwords would be open to criminals, and it will expose your password to hackers if either of those systems is compromised.

Even deleting emails does not inherently indicate that they are permanently lost. In trash directories or elsewhere, they can stick around. If your email account password is compromised, bad actors can access all the passwords sent to you by simply demanding password resets.

Most users often appear to use similar passwords on different occasions. A staggering 40 % of people use the same passwords for their personal and work accounts, according to the 2020 Global Password Protection Survey.

The severity of the problem of password reuse is validated by these statistics and organizations need to take steps to minimize the ensuing risk.

It is so common to reuse passwords that once it leaks via email, your other accounts will get compromised by third parties. 

What to do?

However, it is understandable to reuse a password, but ensure that passwords are not on plain text when sent via email.  In their security posture, organizations must make good password hygiene a priority.  A unique, strong password should be given to every user, system, application, service, router, switch, and IP camera.

Data breaches have exposed over 4.1 billion documents and leaked passwords are responsible for 81 percent of hacking-related breaches, according to the 2020 Verizon Data Breach Incident Study.

Share on


More Posts

What Is DieFi

What is DieFi?

If you have ever wondered what would happen to your digital assets when you are no longer on this earth, you are not alone. Who

FortKnoxster Decentralized DieFi Crypto Suite

FortKnoxster Decentralized DieFi

FortKnoxster’s DieFi core concept is decentralized — in fact it has to be, in order to be as secure and transparent as possible. Only the benefactor