0

At work we are using a secure file transfer utility that, after setting it up, sends you and the participants you want to share those files with, two emails. One email contains the randomised username, another one the password. I understand that this is done to minimise the risk of exposing both pieces of information at the same time, but with email being inherently insecure isn't email unsuitable for communicating these?

Both, username and password are valid for a limited time only (5-7 days).

What are the pros and cons of sending two separate emails one with username and password?

Alex Ixeras
  • 195
  • 2
  • 10
  • Insecure how? The traditional worry is if it transits point-to-point via multiple servers (in which case, sending two emails would likely be routed differently), because it would be readable by all the servers (and routers) on the way. That's almost certainly not an issue anymore - your connection to your domain is direct, and encrypted (especially with web frontends), and in most cases domain-domain transmission is going to be direct (and encrypted), especially for the larger providers. – Clockwork-Muse Oct 21 '21 at 05:28
  • Thanks. So if it's a domain-domain transition and encrypted, why two emails then? – Alex Ixeras Oct 21 '21 at 05:32
  • 1
    Because history, when that didn't use to be the case. – Clockwork-Muse Oct 21 '21 at 05:41
  • Yes, that's what I thought. So it's more a play of chances (ie. believe that it's unlikely both emails will be sniffed out). – Alex Ixeras Oct 21 '21 at 05:51
  • 1
    That's quite an assumption that two emails will be routed differently. Also, in order for us to understand this process better it would be useful to provide more information regarding this system. When you speak of participants, do you mean external clients? How long are these credentials valid after sending the email? Are users required to change their password after first authentication? Have you thought of the scenario when an inbox is compromised? – Jeroen Oct 21 '21 at 06:09
  • Participants can be external or internal. No restrictions there. The credentials are valid for 5-7 days (not sure). Users are not required to change their passwords. Everyone on the "To" list will get the same username and password. – Inbox compromisation: yes, that was one of my thoughts, but the company has pretty strict security. – Alex Ixeras Oct 21 '21 at 06:13
  • While your company may or may not have strict security, you do not know the level of security of external participants. Having multiple users use the same credentials is also considered a bad practice as your audit trails is non existent at this point. – Jeroen Oct 21 '21 at 06:30
  • Yes –and I'm not working at this company in a security capacity, but just interested–, but we do not share customer data with external participants, maybe some other confidential information through this method (and not that that would make a potential breach less serious). Re audit trails, I agree. – Alex Ixeras Oct 22 '21 at 02:10

3 Answers3

2

It is usually a trade-off between user experience and security. How the trade-off is made depends on the actual threats. While mail can be seen as inherently insecure, it does not mean that every mail gets intercepted for sure. If the impact of a potential interception is low then it might be acceptable to prefer easy of use against security.

It cannot be said though based on your description what the impact of a potential interception is. If the transferred file is an image which should be used in a marketing campaign, then the impact is likely low. If it is instead the company strategy for the next years the impact is higher.

That said, I doubt that sending username and password in two mails within a short time to exactly the same recipient provides significant better security than sending a single mail which provides all access information at once. Since usually TLS is used during mail transport it is less likely that some man in the middle attacker sniffs a single mail, but more likely that the attacker has compromised the recipients mail box or a mail server on the way. In these cases using two mails instead of one does not add relevant security. What would add security is instead to provide the password using a different medium, like calling the recipient by phone.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • The secure file transfer tool is sitting within a company domain. So it looks like it'd be sent internally only. Question is then, why two emails? – The ordinary use cases are transfer of sensitive customer data. – Alex Ixeras Oct 21 '21 at 05:45
  • @AlexIxeras: Just because it is sitting within the company domain does not mean that everything is done internally. It is very common today that users work from home and that they are only loosely connected - i.e. not necessarily tightly integrated into the company network with managed devices and VPN. Apart from that handling of mail is often externalized, like with M365 or Google Workspace. – Steffen Ullrich Oct 21 '21 at 06:56
  • So, I take it that the reason for sharing username and password in two separate emails is mostly historical… – Alex Ixeras Oct 24 '21 at 03:52
  • @AlexIxeras: I would not call it historical since it might be still in use. It is simply a practice which might have added value in the past but does not add much value anymore today. – Steffen Ullrich Oct 24 '21 at 05:31
2

I will first describe what I have understood from your question:

  • For meetings you are sending username password pairs to the participants - they are used to retrieve documents
  • the username and the password are sent in different emails
  • all the participants at a meeting share the same username password pair
  • participants can be internal (to the organization) or extern
  • the username password pair is only valid for a short time (5 to 7 days)

My opinion is that this can be seen are acceptable for moderately sensitive informations (only random attacks, and danger is low even if the informations are leaked)

The highest barrier here is that the credentials are only valid for a short period and only for the documents of a single meeting. For that reason it would not make much sense to have to change the received password.

That can also explain why the credential are shared. The rule is that a secret should not be shared among more than 2 endpoints to prevent leakage, but here the secret expires soon.

The rationale for using 2 emails, is that it does not add that much security, but the cost is so low that it would be pity not to do it.

The problem here is that having external participants makes difficult to imagine a more secure way to send the credentials. The only robust way would be IMHO to send the username by mail, and the password by phone (2 distinct channels) but it can become a time consuming operation if you have many external participants, so it is just the usual balance security/cost/risk.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • It's not for meetings, but that's not really relevant here. It's in most instances for sharing sensitive customer details internally. When it's about customer details this information is not shared with external partners, but the same tool _can_ be used with external partners to securely share other data. Probably because of the nature of the business I'm working for we are frequently an attack target that our information security division is monitoring. – Alex Ixeras Oct 22 '21 at 02:25
0

General email is not secure. However if "at work" means internal email only, then potentially security is much higher, especially if all work email uses smime encryption as is fairly common in a closed community.

Sending two emails is an obscurity attempt or hope that interceptors will not correlate the two messages. It's a bad practice!

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • 1
    SMIME encryption won't save you if somebody else is in your inbox... – Clockwork-Muse Oct 21 '21 at 05:18
  • The secure file transfer tool is sitting within a company domain. So it looks like it'd be sent internally only. Question is then, why two emails? – Alex Ixeras Oct 21 '21 at 05:43
  • Note that "at work" hasn't meant "internal email only" for a long time. That's only a relevant consequence when email servers and recipients are on prem. But, with the cloud ... – schroeder Oct 21 '21 at 08:19