Until summer 2017 it was possible (although discouraged) to send an end user an email from our system that contained their username and password. This function was removed on 22 June.
Sending passwords by email is considered poor practice by every security expert in the world:
- it sends passwords in clear text
- email is not a secure medium
It may help to think of email as being more like a post card than a letter - what you've written is visible to everyone and everything that handles it between sending and receipt.
What you should do instead
The only email we will send now contains a time-limited link that the user can use to set a password. This does the double duty of confirming that the email address on the account is valid, and allows the user to select a password that they can remember. It is the recognised best-practice option for setting and resetting user passwords.
This is often called an activation email within OpenAthens.
For more information about account activation see:
- About account activation
- How to re-send an account activation email
- How to reset a password
- Organisation preferences
- Accounts not activated
But what if I really want / need to send a password in an email?
That's up to you but we will not send the email - you would need to use your own email client.