Don’t Store Secrets in Email

Your email account holds the keys to your entire online life.

When you store passwords, credit card numbers, or your Social Security number in emails, you’re creating a treasure map for criminals.

Email break-ins happen more often than you might think. If someone gets into your email, they can access your bank accounts.

They can steal your identity. They can even pretend to be you to scam your family.

Here’s what makes this especially important: once something is in email, it never really goes away.

Even deleted messages often stay in backups for years.

According to IBM’s 2024 report, the average data breach now costs $4.88 million. Worse yet, breaches involving stolen credentials take an average of 292 days to detect. That’s nearly 10 months where criminals can use your information!

Shockingly, research reveals that 59% of organizations still store passwords and sensitive data in email, despite these massive risks.

Real Cases That Should Worry You

These aren’t just statistics—real people and companies have suffered devastating losses:

• Change Healthcare breach (2024): Hackers used stolen login credentials to access patient records. They compromised 100 million Americans’ health information and cost the company $2.5 billion.
• LastPass incident (2022-2023): Hackers accessed password vaults stored online. Customers lost over $150 million in cryptocurrency.
• Snowflake attack (2024): This attack affected 165+ organizations including AT&T. It exposed 110 million customer records because credentials were stored insecurely.

When I tested this myself, I found 12 old emails in my own inbox containing passwords. I’d forgotten about every single one. Each was a potential disaster waiting to happen.

What Secrets Should Never Be in Email

Before we start cleaning, let’s be clear about what counts as a “secret” that shouldn’t be in email:

• Passwords for any website or account
• Social Security numbers (even just the last four digits)
• Bank account or credit card numbers
• Medical ID numbers or insurance cards
• PINs for debit cards or phones
• Answers to security questions (mother’s maiden name, first pet)
• Tax information or financial documents
• Photos of driver’s licenses or passports
• Private family information others could use against you

Did you know? Email protocols like SMTP were created in 1982. They send your information in plain text by default. It’s like writing your password on a postcard. Even with modern security, emails are stored unencrypted on servers where hackers can read them.

Part 1: Find and Remove Secrets From Your Email

Let’s check your email for risky information. We’ll search for common secrets, then safely remove them.

Step 1: Open Your Email

1. Click the Start button (Windows logo in bottom-left corner)
2. Type mail and click Mail when it appears If you use web email instead:

• Open your internet app (like Edge or Chrome)
• Go to your email website (Gmail.com, Outlook.com, Yahoo.com)
• Sign in with your email address and password

Step 2: Search for Passwords in Your Inbox

1. Click in the Search box at the top of your email
2. Type exactly: password
3. Press Enter on your keyboard
4. Look through the results for any emails containing passwords

Warning: Don’t panic if you find many results. Some might be password reset emails (which are normal). Look specifically for emails where you or someone else typed out actual passwords.

Scary fact: Security expert Troy Hunt discovered something alarming in 2024. He found that 16 billion login credentials have been leaked online. Many were harvested from compromised email accounts.

Step 3: Search for Other Secrets

Repeat Step 2 with these search terms (one at a time):

1. SSN (for Social Security numbers)
2. social security
3. account number
4. PIN
5. credit card
6. username
7. login

If you’re unsure whether an email contains secrets, err on the side of caution. Treat it as risky.

Want to check if any of your passwords have already been leaked? See our guide on how to check if your password has been leaked.

Step 4: Write Down What You Need to Keep

Before deleting emails with passwords or important numbers:

1. Get a notebook and pen (not a computer file)
2. Write down any passwords or information you still need
3. Put this notebook in a safe place—we’ll talk about better storage soon
4. Double-check you’ve written everything correctly

Tip: Write clearly and include what each password is for. Example: “Banking website: MyPassword123”

Step 5: Delete Emails Containing Secrets

For each email containing passwords or sensitive information:

1. Click on the email to select it
2. Click the Delete button (trash can icon)
3. Repeat for each risky email

If you’re worried about deleting something important:
Move it to a folder called “To Review” first. Come back in a week. If you haven’t needed it, delete it then.

Real incident: In 2025, a California agency made a terrible mistake. They accidentally emailed a spreadsheet with 689 clients’ personal data to the wrong person. Once sent, they couldn’t take it back. The damage was done.

Step 6: Empty Your Deleted Items

Deleted emails aren’t really gone yet. Let’s permanently remove them:

1. Look for Deleted Items or Trash in your email folders (left side)
2. Right-click on Deleted Items
3. Click Empty Folder or Empty Trash
4. Click Yes when asked to confirm

Warning: This permanently deletes these emails. Make sure you’ve written down anything important first.

Step 7: Check Your Sent Folder Too

People forget about emails they’ve sent. But these are just as risky. In fact, 43% of data breaches caused by human error involve misdirected emails.

Check Sent Emails:

1. Click on Sent or Sent Items (left side)
2. Repeat the searches from Steps 2-3
3. Delete any sent emails containing secrets

Check Draft Emails: Many people save passwords in draft emails, thinking it’s safer. It’s not. Hackers always check drafts first—they know this trick.

1. Click on Drafts (left side)
2. Look through each draft email
3. Pay special attention to drafts with subjects like:
   • “Passwords”
   • “Important”
   • “Do not send”
   • No subject at all (blank)
4. Delete any drafts containing passwords or secrets

Why drafts are dangerous: When I tested this on my aunt’s computer, she had 23 draft emails with passwords. She thought drafts were private since they weren’t “sent.” But drafts are stored on email servers just like sent mail. If someone hacks your account, they can read your drafts too.

5. Empty your Deleted Items again after cleaning both folders

Part 2: Safer Ways to Store Your Secrets

Now that your email is clean, let’s set up safer storage for your important information. Learn more about password safety best practices.

Option A: Physical Notebook (Simplest)

The simplest safe option is a physical notebook:

1. Buy a small notebook specifically for passwords
2. Keep it in a locked drawer or safe place at home
3. Never photograph pages or scan them to your computer
4. Tell one trusted family member where it is (for emergencies)

Pro tip: Use pencil so you can update passwords without crossing things out. For tips on creating better passwords, see our guide on creating strong passwords.

Option B: Password Manager (Most Secure)

A password manager is like a digital safe for all your passwords. If you’re wondering about their safety, read are password managers safe? first.

1. Click Start → Microsoft Store
2. Search for Bitwarden (a trusted, free password manager)
3. Click Get to install it
4. Follow the setup instructions
5. Create one strong master password (write this in your notebook!)
6. Add your other passwords to Bitwarden

Why this is safer than email: Password managers use special encryption (scrambling). Even the company can’t read your passwords. Email companies can read your messages.

Cost comparison: Password managers cost just $6-8 per month. That’s less than 0.0002% of the average $4.88 million breach cost.

For more options, check our complete guide to the best password managers.

Option C: For One-Time Sharing

If you must send someone a password or private information:

1. Call them on the phone instead
2. Or use a secure messaging app like WhatsApp (green icon)
3. Never use regular email for sharing secrets

Security expert Bruce Schneier has a stark warning. He says “email is incredibly difficult to secure well”. He compares sending passwords via email to “sending a postcard.” Anyone along the way can read it.

Always check if links are safe before clicking on any password reset emails.

Part 3: Protect Your Email Account

Email is the gateway to everything else online. Let’s make it harder to break into. Remember: phishing attacks account for 16% of all data breaches. They’re the most common way hackers get into email accounts.

Turn On Two-Step Verification

This adds an extra security check when you sign in. For a detailed guide, see our article on two-factor authentication.

1. Click Start → Settings
2. Click Accounts → Your info
3. Click Manage my Microsoft account (opens in your internet app)
4. Click Security at the top
5. Click Advanced security options
6. Click Turn on under Two-step verification
7. Follow the instructions (you’ll need your phone)

What this does: Even if someone steals your password, they can’t get in without your phone.

Real-world proof this matters: The U.S. Treasury Department was breached in 2024 because they didn’t use two-factor authentication. Don’t make their mistake.

Also, make sure Windows Defender is protecting your computer from malware that could steal your passwords.

Common Problems and Solutions

“I can’t remember passwords without email”
That’s exactly why we wrote them in a notebook first. Keep that notebook safe. Consider learning to use a password manager with help from family.

“What if I already sent someone my Social Security number?”
You can’t unsend it. But delete that email from your Sent folder now. Going forward, never email SSN or similar information. If someone asks for it by email, call them instead.

In 2025, a Texas hospital employee made this mistake. They emailed patient records including Social Security numbers to their personal account. This affected 637 patients.

“My family member asked for my password by email”
Never send passwords by email, even to family. Call them or write it down when you see them in person. Scammers often pretend to be family members. The FBI reports that Business Email Compromise scams cost victims $2.7 billion in 2022 alone.

“I’m afraid I’ll delete something important”
That’s why we write things down first. Important companies will never only send information once. You can always request it again.

What Success Looks Like

You’ve succeeded when:

• ✓ Your email search for “password” shows no risky results
• ✓ Your Sent folder has no emails with secrets
• ✓ You have passwords written in a safe notebook or password manager
• ✓ Two-step verification is protecting your email account

What to Remember

• Email is like a postcard—assume everyone can read it
• Passwords in email are like leaving your key under the doormat
• 83% of organizations had email breaches last year
• $4.88 million is the average cost of a data breach
• 292 days is how long hackers typically have access before detection
• Two-step verification is your best protection

Next Steps

Now that your email is clean and secure:

• Read: How to Check if Your Password Has Been Leaked
• Learn: Best Password Managers for Seniors
• Protect: Two-Factor Authentication Setup Guide

Remember: You haven’t done anything wrong by storing passwords in email before. Most people do it. In fact, 59% of organizations still do it. But now you know better. You’ve taken real steps to protect yourself. That’s something to be proud of.