Sharing a Password Securely (and Remotely)

Security

If you wish to share a password with a user there’s various ways you can achieve it. But not all of them are secure!

Let’s say you have the scenario that you are onboarding a user or you’ve had to reset their password for some reason. If that person is on-site, that’s pretty easy, you can get them to logon to the device, tell them the temporary password and they can then reset it then and there.

However, when they are not on-site, how do you securely get this password to a user who is remote, especially without attempting to read it over the phone or emailing it (in plain text).

I’m welcoming any comments on these, but there’s three options i’ve used in the past, the first one is pretty basic in that is “something they already know”, and the second builds on this method but includes encryption if you want to ensure the password you’ve used is more secure (if that user doesn’t end up changing it even when you advise them too!) and the third is the second but with a passphase you read over the phone.

Option 1 – Something They Already Know

So you reset the user’s password to something they already know (and of course something you know), for example their date of birth, or their home postcode, or perhaps a combination of those perhaps “84” if their year of birth is 1984, and the postcode to make something like 84AL4WC7, of course this can be problematic if you enforce the need for complex passwords etc. But otherwise you can just say over the phone to the user (or personal email, assuming they can’t get into their work email) your password is: “your year of birth as two numbers and your home postcode”. Of course remember GDPR restrictions here!

Option 2 – Something They Already Know and Encryption

So you reset the user’s password to a reasonably secure string, e.g. hor5e_battery_tree! now encrypt this with a tool like https://encode-decode.com/aes256-encrypt-online/ and for the passphrase you can use either something they already know (e.g. their date of birth written out like 01/01/1984 which can be easily explained over the phone).

Now you’ve done this you can email this to a personal account of the user, if it goes missing then no matter, its secure. If it gets left in their email, without any context (and the passphrase) its also useless.

Once they have confirmed they have the string, you can then give them the pass-phrase 01/01/1984 over the phone and then they just enter it into the tool again to decrypt: https://encode-decode.com/aes256-encrypt-online/ then hey presto they have the decrypted password, can logon and reset it.

In this case you’ve never actually sent the passphrase over a insecure channel, e.g. email or via a voice phone call, you’ve encrypted it with something they already know, so if the recipient doesn’t know it, then they can’t retrieve the password.

Option 3 – Encryption with a Passphrase

The same as the above except you make a passphrase up easily readable (over the phone) passphrase like chips_burgers_nice. Encrypt the password using the tool: https://encode-decode.com/aes256-encrypt-online/ and the passphrase, so for example the password: hor5e_battery_tree! which becomes:

dgPKzk0+4aB7kZNcQF9/KsBkI5xoti/j3jKt/m8kkrc=

Once they have confirmed they have the encrypted string, you can then give them the pass-phrase chips_burgers_nice over the phone and then they just enter it into the tool again to decrypt: https://encode-decode.com/aes256-encrypt-online/

Hey presto, they have their password and you’ve not sent it via plain text.

Conclusion

So there you go some simple ways to share a password, of course this covers the secure sharing of the password only, ensuring you have authenticated the person to which you are sending the password is something else to consider!

Any comments on improvements, or how you get round this problem?

Leave a Reply

Your email address will not be published.