If you want to send someone a private message and make sure they are the only ones reading the message, protecting it with a password that only the recipient knows is a good choice. Fortunately, secure email providers ProtonMail and Tutanota make this process easy and very secure, and you can use both for free.
Why send a password protected email?
When you send an email to a standard webmail address such as Gmail, the server receives the email and notifies the recipient. The server can see the entire contents of the email and any device set up for use with that email address can notify the recipient of a new message.
This usually takes the form of a push notification with a visible subject line and a preview of the message content. Even on a mobile device that is locked, it can give away information to anyone looking over the recipient̵
On a shared computer or tablet, the email can be automatically downloaded via clients such as Apple Mail. All it takes is a few clicks to read the entire content, regardless of whether the email was intended for someone’s eyes or not. The message can be indexed by local search engines and may appear at other times.
If the message in question is sensitive, this may not be ideal. If you really want only the intended recipient to see the contents of your email, protecting it with a password seems like an obvious choice. As long as you can communicate the password privately to the recipient, your message can be read without the risk of someone else seeing it first.
Specifically, the services we will be using today will not transfer your message (other than the subject line) to the recipient’s email server. This means that the contents of the message will not even be displayed when searched for in a webmail or desktop client.
Send password-protected email with ProtonMail
ProtonMail is one of the best-known secure email providers on the Internet. The service is based in Switzerland, where data protection laws are strict. It uses end-to-end encryption so that the content of the email is stored in an encrypted format that even ProtonMail’s servers cannot decrypt.
ProtonMail automatically encrypts all messages between users of the service, with an option to use PGP encryption for contacts using other email services. But there is also an option to easily send a password-protected email to anyone, no matter what email service they use.
To do this, you need to sign up for a free ProtonMail account. You do not need to provide your name, an existing email address or other identifying personal information.
After you have signed up and logged in, click the “Compose” button in the top left corner of the screen to start writing your message. When you’re ready to send your message, click the “padlock” encryption icon at the bottom of the compose window.
Here you can set your password (which must be typed twice for confirmation) and an optional password hint. If you’re sending email to someone and you haven’t given them a password yet, you can use the hint field to ask them to enter a password that only they would know.
Press the “Set” button to lock your email. You can now click on the expiration “hourglass” icon to determine when your email will expire. All emails sent using this method will expire within 28 days by default, but you can choose a shorter period if you prefer. When you’re done, click Send to finalize your message.
Everything except the subject line and the recipient is encrypted and hidden. The recipient will be notified that they have a password-protected email and a link waiting for them. When the link is clicked, a password field will appear that can be used to decrypt the message.
RELATED: What Is ProtonMail and Why Is It More Private Than Gmail?
Send password protected email with Tutanota
Tutanota is another well known and trusted secure email provider. The company is based in Germany, a country with some of the strictest data protection laws in the world. Tutanota also uses end-to-end encryption so that the data on the server is only visible to the person who owns the email account.
Like ProtonMail, Tutanota also encrypts messages between users of the same service. Tutanota also includes a password-protected email mechanism that works almost identical to ProtonMail’s, except that the Tutanota implementation also encrypts and hides the subject line.
To send email via Tutanota, you need to sign up for a free account. As with ProtonMail, you don’t need to provide identifying information to sign up. Just choose a username and password and you’re good to go. Once you have signed up and logged in, click the “New Email” button to start composing your message.
Enter an email address in the “To” field to display an optional password field. You can change the password requirement using the secure “padlock” icon in the subject field. Tutanota will remember the last password you set for the specified email address – or you can set a new one.
When your message is compiled, click Send and Tutanota will deliver a message notifying the recipient that an encrypted email is waiting for them. If they click on the link in this email, a password field can be used to decrypt the message so that it can be read.
As with ProtonMail, the password-protected messages from Tutanota will also expire. Your message will be available on the provided link until the next time you send a password-protected message to the same email address.
RELATED: ProtonMail vs. Tutanota: Which Is The Best Secure Email Provider?
How is this more secure than webmail?
The great thing about this solution is that the content of your messages (other than ProtonMail’s subject line) never even touches the recipient’s email servers. Nothing you say will be visible in an unencrypted format as the message content only exists on ProtonMail or Tutanota’s servers.
If your email provider has to hand over the contents of your inbox due to a legal request, the contents of the email will not be stored anywhere. The same is true if there is a data breach and your inbox has been compromised.
This means that the content of your message cannot be scanned by Gmail’s AI, indexed by local search functions on a mobile device or desktop, or appear in a push notification. The most a recipient will see before decrypting the message with a password is a notification that an email is waiting for them.
This method also has drawbacks. Many people are unwilling to click on links in email messages, and some spam filters may even mistakenly redirect your encrypted email to junk email. Plus, because the messages expire, it can be easy to lose them, especially if the recipient doesn’t realize they’re there.
Nor is it a foolproof system. Someone can guess the password, or the recipient can give the link and password to other people. Never assume that information is secure purely because it was once password protected.
Why not use Gmail or Outlook?
The best native protection Gmail has to offer in this department is the confidential email feature. This uses a one-time passcode to prove that the person opening the email can access the mailbox it was sent to, but this method isn’t much useful if the inbox has already been compromised.
Outlook also offers some protection using S / MIME encryption, which requires certificates to be set on your device and the recipient is using an email application that supports the standard. It’s a long way from entering a password, nor does it work with the webmail version of Outlook.
How about password sharing?
How you provide the password can be just as important as this process. If possible, do this in person so that you know that the person you are talking to is who they say they are. If this fails, you can use a secure messaging service such as Signal to send a self-destructing message.
Learn more about sharing passwords securely with a password manager.
RELATED: How to make your signal chats as safe as possible