I've noticed some services will send a username in one email with a note saying the password will come in a different email. Is there any point to this? It seems that if someone can get that email then surely they can get the one with the password, no?
2 Answers
Eh, yes and no. If you can access a specific e-mail from a user at a specific time, there is no guarantee that you can always access all mails from that user. Access may be temporary (for example if a user is getting some coffee). The idea is also that the user changes the password quickly after receiving the password-mail.
That being said, it is far less secure than using a separate channel for the password.
- 1,897
- 4
- 11
Yes, this has been a common practice for a number of years. The whole point of it was to obscure where the password was tied to. So if someone is able to sniff your SMTP traffic it would just be more work to tie the two e-mails together. With the prevalence of SMTP over TLS this doesn't make a lot of sense to recommend any more. If the content is that sensitive it's better to just encrypt the data in a password-protected ZIP and communicate the password over the phone.
- 305
- 1
- 6
-
Transmission is just one weak point. But it's not the only one. SMTP has been sent server-to-server over TLS for a long time. That's not the credible threat. And the last recommendation you provide makes no sense whatsoever. Send a password-protected password? – schroeder Jul 28 '21 at 15:57