tags:

views:

43

answers:

4

Hi,

Our vendor needs some access to our test server, and thus we send them email with username/password (i think it's unencrypted). What is the most unintrusive way to bump up the security level?

Thanks

+5  A: 

Call them on the telephone.

David Brown
The problem with this is you have to say the password?Also we are assuming that the telephone network is much more secure than email?
portoalet
You're assuming someone actually wants your test server password badly enough that they will somehow go to the trouble to tap your telephone line?
David Brown
hmm who knows..
portoalet
+2  A: 

Depending a the level of security you're going for. It's usually inversely proportional to convenience. So here are some in order of least secure.

  1. Zip file with password protection (winzip)
  2. If you're both using Windows send them the information in locknote.exe. It's very easy and the security in the code is very tight. ( http://www.steganos.com/us/products/for-free/locknote/overview/ )
  3. Get their public key and have them SCP to your server to pick up the password file.
  4. Setup encrypted email and either send them your key or setup your public key on a public key server.

These are just some thoughts off the top of my head.

cstrzelc
How's the vendor going to get the WinZip or Locknote password?
Matthew Flaschen
Probably have to tell the vendor on the phone?
portoalet
Sorry I wrote this going a little to fast :) That password would have to be based on something they know of good 'ol fashioned telephone. Then they could share any additional accounts with those methods. The second two would work better for his solution but do require some setup. Gmail uses a cool plugin 'FireGPG' if oyu already have a public/private key pair. Its really easy to use too.
cstrzelc
What about hushmail (http://www.hushmail.com/about/). I've never used it, and I don't know of anyone that has. But they could both setup accounts and email their passwords. I haven't read that much about it, but maybe a good option????? -cs www.nobletech.net
cstrzelc
Hushmail uses OpenPGP (http://www.hushmail.com/about/technology/how-it-works/), the same technology in PGP and GPG.
Matthew Flaschen
+1  A: 

Call them, especially if you already know their voice. A more traditional solution (that requires some setup) is GPG.

Matthew Flaschen
+2  A: 

Send the two parts with separate communication channels.

Use a combination of any two of the following.

  • Voice phone call.

  • Fax.

  • Snail Mail.

  • Encrypted Email.

Separate channels makes it very hard to reconstruct the credentials.

S.Lott
Don't forget couriers and the in-person channel.
S.Lott