Email is not secure. Ever. Period.
It shocks me how frequently people send me sensitive information via email. If I told you how often I receive a social security number, credit card information, or password emailed to me you’d (hopefully) be shocked as well.
I always make sure to go out of my way to tell people not to send any of that information via email but sometimes it’s just not possible until it’s too late. And it’s not just non-technical users either. As recently as yesterday I was asked to try out a new service designed for agencies that do SEO work for clients. We do a fair amount of search engine optimization for our clients so I’m always on the lookout for tools that will help us serve our clients better. What happened as soon as I created a trial account? THEY EMAILED ME MY PASSWORD BACK IN PLAIN TEXT!!! (As a side note, don’t sign up for an account with RankActive.com. Any company that can’t event get that most basic level of security right doesn’t deserve clients.)
When I brought this to the attention of the rep who contacted me, she actually attempted to explain to me why it wasn’t a problem. (She did tell me they would at least stop sending that email within the next 24 hours.)
So why is email not secure?
First, while you may connect to your outgoing server via SSL (and if you’re not, you should be), once that email leaves your server, there is no guarantee that at least some portion of it’s journey to your recipient won’t happen over an unencrypted connection. (This is a good time to check and make sure you’re connecting to your incoming server via SSL also. While this still doesn’t guarantee anything, it helps close a big hole.)
Next, most servers store emails in plain text (Gmail, for example, even scans all of your emails in an effort to better target you with advertising). If that server is compromised (it happens often), your emails are fully readable.
Then there’s the client. Most mail clients also don’t encrypt their data so once that email is downloaded to your phone or desktop, it’s visible to malware and other unscrupulous programs that may be lurking on your computer.
Also, anyone who has access to your recipient’s computer, device, or email now has that password. Imagine you send me a password or a credit card number via email and I have a virtual assistant that works for me whose job it is to sort through my emails and bring to my attention the ones that require it (this is an increasingly popular practice for busy ‘treps and SMBs).
Now think about the fact that most people use the same password over and over again. The only other point of access for most of your accounts is your email address (which I or anybody else that can see that email obviously has because it’s how you sent me your password). The likelihood that I can use that information to access just about anything I want to is pretty high.
Remember, email was invented somewhere between 1961 and 1978 (the origin of email is a hot topic of debate of internet historians). It was never designed to be secure, and was built without any idea of what the internet would become and what it’s used for today. So think twice before you hit send and remember that nothing you ever send via email is ever guaranteed to be 100% secure.