eQuest
← Back to blog

Please stop emailing me your passwords

· equest Team

Please stop emailing me your passwords

I got an email last week. Subject line: “logins for you.”

Inside? Username, password, and a 2FA backup code. For their production database. Just sitting there in plain text in my inbox. Forever.

This happens constantly.

The hall of fame

Over the years, clients have sent me:

  • AWS root credentials (not IAM, the actual root)
  • Credit card numbers “in case you need to buy something”
  • Their personal email password (I asked for their business one)
  • A photo of a Post-it note with six different passwords on it
  • An Excel file called “all-passwords.xlsx” with no password protection

I’m not exaggerating. These are real things that have landed in my inbox.

Why email is terrible for this

Let’s count the ways:

It’s permanent. That password is now in your sent folder, my inbox, probably backed up on both our mail servers, and synced to every device we own. Good luck “unsending” that.

It’s searchable. Anyone who gets into your email can just search “password” and hit the jackpot.

It gets forwarded. “Hey can you loop in my developer?” Sure, let me forward this thread with all your credentials in the history.

It’s not encrypted. Most email travels in plain text between servers. It’s basically a postcard.

What I tell clients now

Before every project, I send a short message:

“Please don’t email me passwords or sensitive credentials. Here’s a link to submit them securely.”

That link goes to a password-protected questionnaire. The info is encrypted. I can access it when I need it. Nobody’s inbox becomes a security liability.

Does everyone follow the instructions? No. But most do, and that’s a win.

The awkward conversation

Sometimes I have to reply with “hey, I got your password, can you please change it and send the new one through the secure link instead?”

It feels nitpicky. But I’d rather have that awkward exchange than explain to a client why their site got hacked because their credentials were sitting in a Gmail thread from 2019.

equest has encrypted responses for exactly this reason. Just saying.