How can clients easily and securely send me passwords?

39

15

I often need to get passwords from clients for FTP, SSH, MySQL, Authorize.net, etc.

What's an easy way for them to send me passwords securely? Maybe even without them needing a login/password?

Encrypted IM sessions are a hassle to set up with non-techies. Phone calls break up my concentration and require arranging. (Are VOIP calls secure, anyway?)

Ideal: An easy way for non-tech-savvy people to send encrypted email. PGP/GPG doesn't cut it, unless Outlook has some super-easy built-in wizard. (You never know...?)

Good: A web-based secure message system (hopefully in PHP) that I could host and run over SSL. I haven't been able to find anything like this.

Maybe I'm asking the wrong thing or the wrong way. Any suggestions are appreciated!

Adam DiCarlo

Posted 2009-08-11T19:47:39.700

Reputation: 358

Question was closed 2015-10-13T06:33:04.617

"What's an easy way for them to send me passwords securely"? Pick up the phone store it encrypted on an offline machine. Then the only threat requires a physical presence – Dave – 2015-09-27T05:21:07.673

1

There is also https://onetimesecret.com it is open source and deletes the the password after it was viewed. So if you can see it no one else did.

– PiTheNumber – 2015-10-21T12:48:11.233

2Them knowing your password in the first place is a pretty big security issue – Ciaran – 2009-08-11T19:50:17.853

1

Note - this question is a duplicate of http://stackoverflow.com/questions/1262424/how-can-my-clients-easily-send-me-passwords-securely (Adam apparently didn't know about the question migration feature) - if the question is migrated here to superuser, one or the other should be closed as a duplicate.

– bdonlan – 2009-08-11T19:55:57.873

4They never know my passwords, but I have to know tons of theirs, being their web developer. – Adam DiCarlo – 2009-08-11T19:56:15.080

1

Related question on ServerFault: http://serverfault.com/questions/61402/web-based-and-encrypted-password-license-etc-database

– Tim Lytle – 2011-08-08T16:43:27.003

Answers

13

Your idea of a web-based messaging system could be implemented in a few dozen lines of HTML and PHP (mostly html) on any system that had an SSL web server and GPG installed. It’s really just a very simple but specialised formmail type program. You could even hack an existing formmail CGI script to insert a call to GPG (assuming one doesn’t already exist, try Googling for formmail + GPG)

  • If you haven’t already done so, install gpg on your workstation and create your public & private keys
  • Create a php page that displays a form to accept a message (text field), encrypts it with gpg using your public key, and emails it to you. Hard-code your email address in the script (i.E don’t allow the sender to specify who to send to)
  • Install the php page on an existing ssl server or create one just for the task. A self-signed cert is good enough for this job.
  • Tell your client the url when you need them to send you a login and password.

Btw, thunderbird has the Enigmail plugin which makes using GPG encryption very easy. But it’s still probably too much trouble for casual users.

cas

Posted 2009-08-11T19:47:39.700

Reputation: 621

I was thinking I'd probably have to do something like that. If I do, I'll make it an open source project if I can think of a good name for it. – Adam DiCarlo – 2009-08-12T02:44:43.743

7Think of all the open source projects that were never open sourced because someone couldn't think of a good name! – Robert – 2009-08-14T18:56:53.053

1there is now crypto.cat, an open source chat encryption suite/website. – Ampersand – 2012-08-02T21:29:47.103

23

PGP is popular.

You can also try the tried and true method of a meeting at a pond, preferably with both of you wearing trench coats.

Paxxi

Posted 2009-08-11T19:47:39.700

Reputation: 6 952

@AdamDiCarlo so I guess you're going the pond – ironicaldiction – 2016-09-08T13:19:28.377

6+1 for both the PGP and the "french connection" ;-) – Rook – 2009-08-11T20:03:43.067

1For those of you that was a FOSS version - GPG does the same. – Dentrasi – 2009-08-11T20:11:22.710

7I was trying to avoid PGP/GPG -- this is for non tech-savvy people who don't necessarily have much time (or patience) for something involved. – Adam DiCarlo – 2009-08-11T22:15:19.307

7

This is a combination between a text file and a phone call:

Have your client put password in a plain text file, and then drop the text file into a password-protected zip file. (7zip is free and open-source). Have them email the encrypted .zip/.rar/.7z file to you and then call with their username and the password for the zip file.

This prevents anyone from opening the zip file, and even if they did, it's only a password, which doesn't give you anything without any other information, like username and where to use it.

Additionally, this is a way to email a "forbidden" file type, like a .exe, to an email client that scans attachments and inside zips. In those cases, I usually just include the password for the zipped file in the email, and it's usually "password". It's enough to stop email software from checking the contents, though.

Jared Harley

Posted 2009-08-11T19:47:39.700

Reputation: 11 692

1while this increases security by adding more layers, it doesn't make the process any simpler. You still have to have a phone call. – spuder – 2014-12-26T16:42:34.687

On the other hand, I like the idea of a second communication channel to convey minimal PIN-like information. I wouldn't assume a non-techie knows how to make a zip file -- so I wouldn't use this answer as is. But we can assume virtually every professional has a cell phone to which a pin number can be sent, which may be a useful security check as part of a secure web-based initial authentication. – ToolmakerSteve – 2015-11-16T21:21:20.157

4

Don't overcomplicate the matter, and don't overestimate the importance of what your client is sending you.

If either computer has a key logger running, no amount of encryption will protect those precious passwords.

I wouldn't send REALLY sensitive passwords across the internet (such as an administrator's password) but for the applications you mentioned? It's not worth the effort to secure them on the off chance that someone might be intercepting your emails.

If your client is concerned, they have several options:

  1. Learn how to send encrypted emails.
  2. Send a fax, if possible.
  3. Snail mail? (lol)
  4. Speak it clearly over the phone using a Phonetic Alphabet

EvilChookie

Posted 2009-08-11T19:47:39.700

Reputation: 4 519

#4 is debatable if Uncle, or anyone who does monitoring work for Uncle, wants the password. Any mobile phone is guaranteed to be recorded by the NSA, as is any landline-to-landline call which crosses a LATA boundary. A phone call within the Milwaukie https://www.telcodata.us/view-switch-detail-by-clli?clli=MLWKOR17DS0 exchange won't be monitored without a warrant, but a call from Milwaukie to Portland will.

– K7AAY – 2018-10-23T18:45:38.840

3The applications I mentioned include Authorize.net. I consider that REALLY sensitive as (forgot to mention) I'm talking the transaction key. This key allows not only accepting payments, but basically making payments (crediting customers for refunds is the purpose).

Also SSH/FTP and MySQL access allows the user to blow away their website... I think that's important to protect too.

You say if my client's concerned; isn't it my responsibility as a professional not to say, "Go ahead and email me your sensitive passwords?" – Adam DiCarlo – 2009-08-12T19:01:13.227

Transaction keys - no question. Send those over fax, use the phone, whichever is easier. But for a client website? Sure, it's important stuff, but it's not worth going to all the effort of securing the email. If someone wants to get rid of one of your client's websites, there are far better ways to get rid of it than the off chance of intercepting an email - DDoS attacks, SQL injection, there's umpteen bazillion ways to take down a web server, and stealing someone's credentials by sniffing an email just isn't one of the better ones. Like I said, don't overestimate the importance of the info. – EvilChookie – 2009-08-12T21:10:07.087

1And since you work with websites, you should know better than most that you simply don't just store important stuff on the website. – EvilChookie – 2009-08-12T23:00:10.733

4

What about Cryptocat? Secure, easy to use and a browser is all you need. For details see the About page.

As Ian Dunn has pointed out, the system has the flaw that an attacker could pretend to be your client. The only security in this case would be the name of the chat room that would then become the password. Problem shifted, but not solved.

However, I often need to sent clients 30+ char salad (we call them passwords) and I mostly I use crypto.cat to exchange the credentials while talking to them on the phone. This seems to be very secure for me and the client can use CTRL+C.

Tex Hex

Posted 2009-08-11T19:47:39.700

Reputation: 2 242

2One of the downsides to using crypto.cat for this purpose is that you still have to share the chat room name, which essentially becomes a password in-and-of itself. If an attacker intercepted the room name, they could impersonate the client and get the system password. So now you need a way to securely share the crypto.cat password, and you're back at square one. It isn't fundamentally more secure, it just adds an extra weak layer. 2 weak layers are still better than 1, though, and if you want to keep the process simple then maybe that's an acceptable risk. – Ian Dunn – 2012-08-03T15:59:05.300

I think a phone call is a less-bad way to transmit the information. The caller ID can be spoofed, but it's much harder to mimic somebody's voice, mannerisms, etc. – Ian Dunn – 2012-08-03T16:00:07.467

@Ian Dunn: Okay, I get your point. I will edit my answer. – Tex Hex – 2012-08-03T18:36:43.010

Yeah, if you're already on the phone with them, then that's much better than if you e-mail/text the room name to them. I personally prefer the process I laid out in my answer, but I think your approach is a good one too. – Ian Dunn – 2012-08-03T20:53:17.903

3

set up a Password Safe file in a shard Dropbox, so clients can add passwords as needed.

Joel describes the technique here

Ryan

Posted 2009-08-11T19:47:39.700

Reputation: 1 728

3Interesting idea, but it involves each client learning/using not only Password Safe but also Dropbox, and presumably separate dropboxes for each client? Don't want them seeing other people's password safe files there -- that would look bad (even though they wouldn't have the password to open others' safes). – Adam DiCarlo – 2009-08-12T00:48:12.560

3

You might want to try NoteShred. It's a tool made pretty much for your exact need. You can create a secure note, send someone the link and password and have it "shred" it self after they read it. The note is gone and you get emailed a notification to let you know your info is destroyed.

Its free, and doesn't require any sign up.

https://www.noteshred.com

Cheyne

Posted 2009-08-11T19:47:39.700

Reputation: 149

I like the idea, but if you email the link with the password, isn't that insecure again? If an attacker can see a password in an email, he can see the link + password in an email as well I guess? – Wim Deblauwe – 2016-06-23T15:46:38.810

Obviously you are not going to send the password in an email with the link. You have the option to transfer the password how ever you wish. Besides, even if the attacker did get the password, only the first person who views the note will see the content, it's shredded after that. So the password is useless. – Cheyne – 2016-06-23T18:28:48.467

2

Skype's Instant Messaging is encrypted.

Now, here comes the necessary caveats: Skype is not open source so you don't know whether or not they did a terrible job or installed a government backdoor or copy all messages to Bob in IT, but the best available evidence suggests that it is secure.

Ryan

Posted 2009-08-11T19:47:39.700

Reputation: 1 728

1This should be down voted into the ground. – PiTheNumber – 2015-03-19T16:29:47.797

1

This is an old answer, but still an interesting one. Skype should not be considered a "secure" way to send sensitive info anymore (https://support.skype.com/en/faq/fa31/does-skype-use-encryption).... Basically IM's are encrypted end-to-end for direct messages, but only your-end-to-the-cloud for cloud-based IMs. Direct messages are going away. So any IMs sent through skype are (or will be) not encrypted end-to-end.

– rocketmonkeys – 2015-04-14T15:52:23.413

6We now know for sure, thanks to Snowden, that there are definately government back doors to skype – Robert J Berger – 2014-06-05T18:32:41.710

2

How about in a text file on an encrypted USB key sent via snail mail

Rob Allen

Posted 2009-08-11T19:47:39.700

Reputation: 1 849

2

This process doesn't work in all situations, but I think it's good for multi-user systems (like a CMS or hosting control panel):

  1. Client calls you on the phone.
  2. While you're on the phone, the client logs in to the system and creates a new admin account specifically for you, rather than giving you access to their existing one.
  3. They pick a relatively simple, random (but 15+ character) passphrase for the initial password (e.g., driving to portland this weekend or where are my headphones)
  4. They tell you the passphrase over the phone.
  5. You immediately login to the system and reset the password to something truly strong, e.g., #]t'x:}=o^_%Zs3T4[ &#FdzL@y>a26pR"B/cmjV.
  6. You store the final password in your password manager.

The advantages to this approach are that:

  1. It's relatively simple for the client. They only have to know how to create an account on the system. You can walk them through that while you're on the phone if they have trouble.
  2. It's relatively simple for you also. You don't have to deal with setting up and sharing encrypted files, hosting a custom form application, etc.
  3. It uses a passphrase (as opposed to a password) so that the temporary password is easy to communicate over the phone, but is also relatively secure.
  4. The final password is never transmitted (except for the reset password form, of course, but that should be encrypted by the system).
  5. The final password is never known by the client, so they can't accidentally expose it to attackers. Of course, they can still expose their own account's password, but a post-mortem investigation of an incident would trace the penetration to their account, not yours ;)

The initial passphrase is the weakest link in the chain because of its relatively low entropy, and insecure transmission over the phone. It still has ~100 bits of entropy, though, and it only lives for 15-90 seconds. In my opinion that's good enough unless you're working on something highly sensitive, or you know that you're currently being personally targeted by a good hacker.

Ian Dunn

Posted 2009-08-11T19:47:39.700

Reputation: 191

If you're going to downvote, please explain why... – Ian Dunn – 2012-08-02T18:00:55.077

Not me, but probably because the question is 3 years old. – Ampersand – 2012-08-02T18:48:19.000

3That doesn't make sense to me. This isn't a forum thread; the whole point of Stack Exchanges sites is to build a repository of knowledge. I would think the age of the question is irrelevant. There are even badges for working on old questions, like Necromancer and Archaeologist. But, if anyone sees any flaws in my answer, please point them out so I can improve it. – Ian Dunn – 2012-08-02T19:53:19.677

That's a good point. You should submit a crypto.cat answer. – Ampersand – 2012-08-02T21:21:48.120

2

Some people in this thread were suggesting to create a web application to do just that. In fact some even created their own. Frankly speaking I don't think its a good idea to rely on strangers for a service like that. I implemented a basic web application that enables users to exchange passwords via a simple web interface and made it available freely under the MIT license.

Check it out here: https://github.com/MichaelThessel/pwx

It takes minutes to set up within your own infrastructure and you can scrutinize the source code. I have been using my own install with my clients for months and even the non-techy folks picked it up in no time at all.

In case you want to test the application without installing it first, you can have a look here:

https://pwx.michaelthessel.com

Michael Thessel

Posted 2009-08-11T19:47:39.700

Reputation: 101

You said "I don't think its a good idea to rely on strangers for a service like that" and then recommend they use your code to do this? How is your code (you are also a stranger) any safer than some other random strangers' code? – DavidPostill – 2015-09-27T08:34:05.160

All the other solutions in this thread offer closed source, hosted solutions on their own servers. This solution is open source. You can review the code, make sure it doesn't do anything malicious and install it on your own infrastructure. This is the beauty of open source. – Michael Thessel – 2015-09-28T21:13:00.510

Thank you very much for offering a self-hosted version of these utilities Michael. I see your arguments perfectly and we'll probably follow your lead (plus the branding is better). Brilliant work! – Foliovision – 2016-05-31T23:29:06.850

1

How about sending the passwords via good old SMS? It's very simple and, as long as you don't provide any other information in the text, it will be very hard to figure out where it goes.

Leif

Posted 2009-08-11T19:47:39.700

Reputation: 400

Typing long complex passwords on a phone (and sometimes reading them) is error-prone. – Walf – 2017-10-03T23:42:07.733

0

This one is a bit more effort but saves the client time as well:

Set them up with something like Roboform but store the data on the web so that you can access it. When they log in somewhere RF will save the password and it's available to you.

Downsides:
*Not sure how secure online storage of Roboform is * You then have access to all of the client's passwords and they may not like that idea.

Clay Nichols

Posted 2009-08-11T19:47:39.700

Reputation: 4 494

0

Using outlook or thunderbird with S/MIME is easy but even better is to have them call you and read you their password - if you want to be super awesome have them read part of it to you and then text you part of it and email you another part of it.

Ram

Posted 2009-08-11T19:47:39.700

Reputation: 977

0

If the usage is very temporary, like one-time troubleshooting or file transfer, this level of security may be unnecessary. Have the client temporarily change the password to something you know, do your work, then have the client change it again. Even if the temporary password was discovered, it will be obsolete before it can be used for nefarious purposes.

fixer1234

Posted 2009-08-11T19:47:39.700

Reputation: 24 254

0

A friend of mine created this website specifically for this reason: https://pwshare.com

For me and my friends in the hosting world, a great tool to quickly send passwords to clients.

From the about page: https://pwshare.com/about PWShare uses a public/private key encryption specification known as RSA. When the client wants to send a password, a public key is requested from the server.

The client then encrypts the password before sending the password to the server. Because of this, the server doesnt know or store the decrypted password.

Only using the link, which contains the Private key identifier and password, can the password be decrypted.

Mark Kraakman

Posted 2009-08-11T19:47:39.700

Reputation: 1

-1

I would recomend using something like axcrypt. It is very intuitive so even technically challenged people can make it work.

Download AxCrypt here

When you use AxCrypt you or whoever you are dealing with can create a file with all of the passwords/sensitive info and then encrypt it with a passphrase. I always recommend at a minimum exchanging the pass phrase over the phone or in person (This is the best option). AxCrypt uses some decent encryption, so you can be sure it will keep all but the most determined adversary out. The best part with AxCrypt is that it integrates into windows as an explorer extension. In windows explorer all you need to do is right click on the file to encrypt it/decrypt it/

Happy Hunting!

Axxmasterr

Posted 2009-08-11T19:47:39.700

Reputation: 7 584

Asked: 2009-08-11T19:47:39.700

Viewed: 44 331 times

Active: 2018-10-23T18:23:06.017