Skip to end of metadata
Go to start of metadata

Until summer 2017 it was possible (although discouraged) to send an end user an email from our system that contained their username and password. This function was removed on 22 June.

Sending passwords by email is considered poor practice by every security expert in the world:

  • it sends passwords in clear text
  • email is not a secure medium

It may help to think of email as being more like a post card than a letter - what you've written is visible to everyone and everything that handles it between sending and receipt. 

What you should do instead

The only email we will send now contains a time-limited link that the user can use to set a password. This does the double duty of confirming that the email address on the account is valid, and allows the user to select a password that they can remember. It is the recognised best-practice option for setting and resetting user passwords.

This is often called an activation email within OpenAthens.

For more information about account activation see:

But what if I really want / need to send a password in an email?

That's up to you but we will not send the email - you would need to use your own email client.

  • No labels