4

I am writing an app that requires multiple levels of users, where one user is an administrator and adds slave users.

I can't really seem to find a way to allow access to the slave users safely. Emailing a password is unsafe as emails are unencrypted, and I might as well just send the password if I'm sending a one-time link.

I can reduce the window exponentially by making a temporary password required to be changed on first login, emailing a one-time use link, setting a timeout on either of these, or any combination of all of these...

But the window still seems extremely large compared to asynchronous encryption, for example.

I could require an SSH communication or something, but obviously this is not even close to pragmatic.

What is the industry standard, and what solution, if any, can provide both a pragmatic user-friendly experience, as well as a secure channel?

Allenph
  • 153
  • 4

2 Answers2

1

Sending passwords in a mail is not good under any circumstances. As I see, the best thing you can do is send a one time link in the email so then user navigates to your externally exposed interface(web?) and create a password. To secure the email you can use PGP.This is a good guide.

This requires some burden of configurations in the user's end. If you are sending mails to known users, ( eg: in a corporate environment ) this is feasible. But if you are sending mails to general public, I do not think PGP is a viable option.

user3496510
  • 1,257
  • 2
  • 12
  • 26
1

Security tends to be a compromise with usability. How secret is the data that "slave" users are handling in a brand new account, exactly? Is it worth hand delivering the password to end users, checking their id, then burning the note?

Email is not perfect, but is it really that insecure? What about if you only send emails to providers that you communicate securely with, or even configure your mail exchanger to require tls and a valid certificate? Email from Amazon SES to, say, Gmail, is probably pretty tight.

Sending a create new account/password link would be way better than sending permanent credentials.

Is it enough to catch that an account has been stolen from email later when the legitimate user can not log in and talks to the administrator user about it?

Could the new accounts remain in a provisional state until the administrator is sure that the actual new user has created a password?

PS. Consider using nomenclature besides "slave users", as slavery is in fact a real thing that is hopefully not part of your webapp...

trognanders
  • 2,925
  • 1
  • 11
  • 12