Published on July 26, 2018
It’s one of the most common inquiries handled by our customer care team — how to recover a lost or forgotten passphrase. As clearly stated when you first set up your account, passphrases can’t be recovered or reset. This might come as a shock for those of us used to easily resetting passphrases for other services, but Hushmail has decided to forgo this amenity for a very good reason. Allowing customers to reset passphrases opens the door to security breaches.
One way services allow you to reset your passphrase is through security questions to confirm your identity. But these questions are surprisingly easy to answer with just a little bit of research. The name of your high school, your mother’s maiden name, or your dream job can be guessed or discovered through social media posts or online records.
Another way to reset a passphrase is to email a link to a backup email account that you can use to set up a new passphrase. However, if that backup email account is compromised, someone with unauthorized access could gain the ability to change your passphrase and access your account.
Text messages are also used to reset passphrases, but SMS is easy for a savvy hacker to circumvent. Hushmail uses SMS, but only for two-step verification, which works when used with a passphrase, never by itself.
Passphrase recovery is only available for Hushmail for Business customers who have users under their own domain, and who elect to enable passphrase recovery. If a passphrase is forgotten or misplaced, the administrator of the account can reset the passphrase for the user.
However, passphrase recovery must be enabled before user accounts are created. If it’s enabled after accounts are already in place, the users will have to go in and change their passphrases for it to be effective.
If you decide to use passphrase recovery for your business account, it’s important to remember that it’s not a retroactive solution. If the passphrase is already lost and the feature was not enabled, then enabling it after the fact will not allow you to reset the passphrase.
First make sure you’ve really forgotten it. Double-check that you’re entering your full email address when you attempt to sign in. Hushmail email addresses can end in @hushmail.com, @hush.com, @mac.hush.com, @hushmail.me, @hush.ai or your own domain.
Hushmail passphrases are case sensitive. If you’re having difficulty accessing your account, make sure that you don’t have caps lock enabled on your keyboard.
If your passphrase is saved in your web browser and automatically filled in on our sign-in page, most web browsers now offer the ability to view and retrieve saved credentials.
If all else fails, we'll transfer the duration of your subscription to another account at no charge.
You may be wondering how to keep up with a passphrase that you must remember at the risk of losing your account and having to set up a new one. Here are a few suggestions:
It’s important to remember that Hushmail will never ask you for your passphrase. We don’t know your passphrase, and we don’t store passphrases on our system. If you receive an email that looks like it’s from Hushmail asking you for your passphrase, don’t respond and delete the email. You can also file a report with our abuse department.
At Hushmail we feel that the inconvenience that may come from not being able to reset a passphrase is a small price to pay for greater security. In short, most passphrase resetting methods are easier to crack than the passphrase itself, which defeats the purpose of having a strong passphrase. Not enabling you to reset your Hushmail passphrase makes your account more secure, and at Hushmail, security will always be our top priority.