Is it good practice to send passwords in separate emails, and why?

There is added noise to the channel if you send them separately, assuming there is a delay in sending the second email the attacker would have to listen for a longer period of time and filter more content. It is simply a little bit safer than sending everything in the same package, think of ordering a safe box and shipping the keys along with it, its basically the same idea.

You are right in thinking that sending the password via a different channel (sms, phone, etc) is more secure, however it also requires more management and collection of more information, the logistics of doing it come with an added cost.


It certainly doesn't hurt your security to send two separate emails, but I agree that it's not a silver bullet.

The better practice is to send the password "out of band", meaning that you send the file and the password by different communication channels; one on the internet, and one not. If you send the file by email, send the password by SMS, if the file is on a network share, write the password on paper and physically give it to them, etc.

To understand why people make these suggestions, we need to think about which threat model this practice is trying to protect us from. In this case, both the sender and the recipient have both pieces, so it's not protecting us from end-point compromise (like someone having access to your computer or email account), instead it is protecting us from a malicious mail-man while the data's in transit. The idea is to break the data into crypto-pieces and send each piece by a different channel so that no one mail-man has enough to reconstruct the data.

With this threat model, even sending two separate emails with the same To: and From: addresses does some good when you consider that 1) email is a plaintext protocol, and 2) any two packets will take two very different paths through the internet. This way, any 3rd-party router in the middle can see the contents of the message, but is only likely to see half the crypto-data. It certainly won't stop your ISP, or the NSA, (who log everything) from putting both bits back together, but they have to sift through a monumental amount of data to do it, which is expensive for them.

Clearly, sending both chunks with completely different To: and From: addresses, or delivering one piece by a non-internet method makes the reconstruction that much harder. You don't have to make reconstruction impossible, you just have to make it more effort than breaking into your computer so that it's no longer the weak-point in the chain.


In my experience, most people who recommend this have previously worked in similar situations with snail mail, such as sending out the ATM card and the PIN separately.

It makes sense with snail mail, as in most cases it's not usually practical for a compromised node to intercept all traffic, and correlate cards to PINs. Or if it is practical, it's generally a node close to either the source or destination (your postal worker, or someone in the bank's mail room), who would be easily identified.

However, with email, it's relatively easy to intercept all traffic and correlate messages, so this advice has little value.

Tags:

Passwords