Zerodha Zerodha welcome email user ID password login

Why the Zerodha welcome email has a user ID but no password

From WebNotes, a public knowledge base. Last updated 20 June 2026. Reading time ~8 min.

Key facts

What the welcome email contains	Your Zerodha user ID (the client ID) and a link to create your own password, not a password
User ID format	Six characters, two letters then four digits, for example AB1234 (not 12 characters)
Who sets the password	You do, on first login, through the credential-creation link or an OTP flow
Why no password is emailed	The broker stores passwords only as one-way encrypted hashes and cannot read or send them
If the link expired	Use Forgot user ID or password on the Kite login page to set credentials afresh
Security baseline	First login is gated by two-factor authentication in addition to the password

The Zerodha welcome email carries your user ID and a link to create your own password, and it deliberately contains no password, because Zerodha stores passwords only as one-way encrypted hashes that it cannot read, let alone email. The user ID it delivers, also called the client ID, is the six-character code (two letters then four digits, such as AB1234) you use to log in to Kite and Console . The password is something you set yourself on first login through the credential-creation link, gated by a one-time password to your registered mobile and email. This article explains the security model behind that split, why no broker emails a password, and what to do when the credential link has expired.

The design follows a rule that applies across regulated finance, not just Zerodha : a system that can email you your password is a system that can read your password, and a system that can read your password is one a breach can read too. Modern login systems avoid this by never storing the password itself. They store a one-way cryptographic hash, verify a login by hashing what you type and comparing, and have no way to reverse the hash back to the original. An emailed password would require the opposite, a readable copy on file, which is exactly the weakness the hashing model removes.

What the welcome email actually contains

When account opening completes and the form is eSigned, Zerodha emails a message with the subject Welcome to Zerodha to your registered email address. It carries two things: your user ID, and a route to create your password. The user ID also appears in the account-opening PDF as the unique client code (UCC). It does not carry a ready-made password, a temporary password, or a default password. The absence is intentional, not an oversight or a delivery failure. A new holder who scans the email for a password and finds none is looking for something that, by design, was never put there.

The user ID, and the 12-character misconception

The Zerodha user ID is the client ID : six characters, formed as two letters followed by four digits, for example AB1234. The same value serves as the login ID for Kite, Console and Coin, and as the reference on support tickets. A common search is for a “12-character” Zerodha user ID, but that conflates the login ID with another identifier. The CDSL beneficiary-owner (BO) ID, the demat account number, is 16 digits; PAN is 10 characters. The login user ID a person actually types is the six-character client ID, and partial recall of one of the longer numbers is usually where the 12-character idea comes from.

Why brokers never email passwords

The reason is the storage model. A properly built login system never keeps your password as readable text. It keeps a salted, one-way hash, a fixed-length output from which the original cannot be recovered. At login the system hashes what you type and compares the two hashes; a match logs you in, and at no point does the system hold your actual password. This is why Zerodha cannot read your password and therefore cannot email it: there is nothing readable to send. The same property is why a “forgot password” flow resets the password rather than retrieving it; retrieval is impossible by construction. Any message or call claiming to read out your existing Zerodha password is therefore not Zerodha, and is a fraud signal worth treating as one.

The password is created by you, once, at the start. Two routes lead to the same place. The first is the credential-creation link in the welcome email, which opens a page to set a password. The second, equivalent and always available, is the Forgot user ID or password option on the Kite login page at kite.zerodha.com. Either way you authenticate with a one-time password sent to your registered mobile number and email, then choose a password that meets the strength rules. Because the OTP goes to contact points already verified during KYC , the flow confirms it is you setting the password, not someone who merely intercepted the email.

After the password, first login enforces two-factor authentication. You confirm a second factor, an SMS OTP or a code from an authenticator app, before the session opens. The two factors are independent on purpose: a leaked password alone cannot open the account, because the second factor sits on a device you hold. This is the same control that makes the welcome email safe to deliver by ordinary email; the email gives an attacker a user ID and a link, neither of which is enough without the OTP that lands on your phone.

If the credential-creation link has expired

The link in the welcome email is time-limited, so an account opened weeks ago may have a dead link by the time you first log in. This is not a problem, because the link is a convenience, not the only path. Go to the Kite login page and click Forgot user ID or password. That flow does not depend on the original link; it re-sends an OTP to your registered mobile and email and lets you set credentials afresh. If you also cannot find the welcome email and do not know your user ID, the same Forgot user ID or password flow recovers the user ID, and if that fails, recovering your Kite user ID through Zerodha support with your registered mobile and email is the fallback. An expired link never strands you; it just routes you to the standard reset.

What this means for a new account holder

For a new holder the practical sequence is short. Open the welcome email, note the six-character user ID, and use the link, or Forgot password if the link is stale, to set your own password against an OTP. Expect a second factor at first login and set up the authenticator or SMS OTP when prompted. Do not wait for a password to arrive separately, because none will, and do not trust any party that offers to tell you your password, because no legitimate one can. The model trades the minor friction of setting your own password for the larger benefit that nobody, not even the broker, ever holds a readable copy of it.

External references

References

Zerodha support, What is my user ID to log in to Zerodha’s trading platform, support.zerodha.com (as of 20 June 2026); the user ID is emailed with the subject Welcome to Zerodha and appears after the form is eSigned.
Zerodha support, policy regarding client passwords, support.zerodha.com (as of 20 June 2026); passwords are stored encrypted at the backend and Zerodha does not have access to them.
SEBI Master Circular on cyber security and cyber resilience for SEBI-regulated entities, on credential storage and two-factor authentication.

Frequently asked questions

Why does the Zerodha welcome email not contain a password?

Because Zerodha stores passwords only as one-way encrypted hashes and cannot read them, it never emails a password. The welcome email carries your user ID and a link through which you set your own password on first login.

What does the Zerodha welcome email contain?

It carries your Zerodha user ID, also called the client ID, and a link to create your password. The user ID is a six-character code, two letters followed by four digits, such as AB1234, used to log in to Kite and Console.

How do I set my Zerodha password the first time?

Open the credential-creation link in the welcome email, or go to the Kite login page and use Forgot user ID or password. You verify an OTP sent to your registered mobile and email, then set your own password.

Is the Zerodha user ID 12 characters long?

No. The Zerodha client ID is six characters, two letters and four digits. The 12-character idea usually conflates it with the 16-digit CDSL demat number or another identifier; the login user ID is six characters.

What do I do if the Zerodha password link has expired?

Go to the Kite login page and click Forgot user ID or password. Setting credentials there does not depend on the original link, and you authenticate with an OTP to your registered mobile and email.

Can Zerodha tell me my existing password over email or phone?

No. Zerodha cannot retrieve a password because it is stored as an irreversible hash, not as readable text. Anyone offering to read out your password is not Zerodha; reset it yourself through Forgot password instead.

Why does first login also ask for an OTP or app code?

First login enforces two-factor authentication. After the password you confirm a second factor, an SMS OTP or an authenticator app code, so a leaked password alone cannot open the account.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed: 20 June 2026
Conflicts of interest: WebNotes is independent. No relationship with any broker, registrar or bank named in this article.