tags:

views:

43

answers:

4
+2  Q: 

More secure password communication

Hi,

Our vendor needs some access to our test server, and thus we send them email with username/password (i think it's unencrypted). What is the most unintrusive way to bump up the security level?

Thanks

+5  A: 

Call them on the telephone.

David Brown  2010-03-16 02:13:02
The problem with this is you have to say the password?Also we are assuming that the telephone network is much more secure than email?
portoalet  2010-03-16 02:30:15
You're assuming someone actually wants your test server password badly enough that they will somehow go to the trouble to tap your telephone line?
David Brown  2010-03-16 02:41:41
hmm who knows..
portoalet  2010-03-16 04:45:48
+2  A: 

Depending a the level of security you're going for. It's usually inversely proportional to convenience. So here are some in order of least secure.

  1. Zip file with password protection (winzip)
  2. If you're both using Windows send them the information in locknote.exe. It's very easy and the security in the code is very tight. ( http://www.steganos.com/us/products/for-free/locknote/overview/ )
  3. Get their public key and have them SCP to your server to pick up the password file.
  4. Setup encrypted email and either send them your key or setup your public key on a public key server.

These are just some thoughts off the top of my head.

cstrzelc  2010-03-16 02:13:57
How's the vendor going to get the WinZip or Locknote password?
Matthew Flaschen  2010-03-16 02:15:16
Probably have to tell the vendor on the phone?
portoalet  2010-03-16 02:35:49
Sorry I wrote this going a little to fast :) That password would have to be based on something they know of good 'ol fashioned telephone. Then they could share any additional accounts with those methods. The second two would work better for his solution but do require some setup. Gmail uses a cool plugin 'FireGPG' if oyu already have a public/private key pair. Its really easy to use too.
cstrzelc  2010-03-16 02:37:53
What about hushmail (http://www.hushmail.com/about/). I've never used it, and I don't know of anyone that has. But they could both setup accounts and email their passwords. I haven't read that much about it, but maybe a good option????? -cs www.nobletech.net
cstrzelc  2010-03-16 02:44:03
Hushmail uses OpenPGP (http://www.hushmail.com/about/technology/how-it-works/), the same technology in PGP and GPG.
Matthew Flaschen  2010-03-16 02:59:04
+1  A: 

Call them, especially if you already know their voice. A more traditional solution (that requires some setup) is GPG.

Matthew Flaschen  2010-03-16 02:14:05
+2  A: 

Send the two parts with separate communication channels.

Use a combination of any two of the following.

  • Voice phone call.

  • Fax.

  • Snail Mail.

  • Encrypted Email.

Separate channels makes it very hard to reconstruct the credentials.

S.Lott  2010-03-16 02:16:06
Don't forget couriers and the in-person channel.
S.Lott  2010-03-19 19:02:13

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security