Security Basics mailing list archives

Re: secure password communication

From: "James Lawrie" <stwange () gmail com>
Date: Mon, 22 Dec 2008 18:14:48 +0000

If encryption is unfeasible, and using a different medium is too
expensive, then there is little you can do, you are left with the
option of transmitting plain text over an insecure network - this is
precisely the problem asymmetric encryption was developed for.

I could suggest HTTPS with web server authentication, but if the
client don't have a username and password with you, this removes the
possibility of authentication.

You could:
- Use a security through obscurity approach with HTTPS where the
passwords are visible (eg.
http://domain.com/RANDOMHEXSTRING/password.html) where you communicate
the URL via some other medium, eg. over the phone (not user friendly,
prone to mistakes).

- Have the password as http://domain.com/somepassword and restrict
access to only their subnet if they have a centralised network.

- Send out an unencrypted email to each of the users with a password
which is only valid once (so they have to change it) and then either
verify with each of the users that they have changed it, or wait for
complaints (it will fail if anyone else has logged in).

Each of the suggestions require you to actively monitor connections to
the URLs in question, and are mainly security through obscurity
approaches which should only be used as a last resort.

I guess it's possible that you could also implement a port knocking
technique which is only valid from within their network.

All of the above suggestions could be used to transmit a master
username and password to the clients' manager (or whoever is in
charge), which then allowed an authentication over HTTPS to take
place, but again this would require active logging, I guess it depends
how many logins you are trying to send.

Good Luck,

James Lawrie.

2008/12/22  <sfmailsbm () gmail com>:

Dear List,
we need to communicate first-time application passwords to remote users; wanted to know what are the practices 
implemented out there to ensure that password is communicated in a secure, fast, cost-effective way

encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy

any ideas will be appreciated

many thanks,
Ron

Current thread:

secure password communication sfmailsbm (Dec 22)
- Re: secure password communication adeel hussain (Dec 22)
- Re: secure password communication Ansgar Wiechers (Dec 22)
- Re: secure password communication Stephen Thornber (Dec 22)
- Re: secure password communication James Lawrie (Dec 22)
- Re: secure password communication Mitchell Rowton (Dec 22)
  - Re: secure password communication Shreyas Zare (Dec 23)
- Re: secure password communication Andre Pawlowski (Dec 23)
- <Possible follow-ups>
- Re: secure password communication dan . crowley (Dec 22)
- Re: secure password communication John Jordan (Dec 23)
- Re: secure password communication dan . crowley (Dec 23)