Communicating Passwords

vandalais · June 13, 2011, 1:07pm

I’m looking for an easy (extremely) for clients to communicate their passwords to me other than clear text. I need the password to work on their site. I always tell my clients to never send them in clear text via email. The only solution I use at this point is to call the client for a password and this is not convenient for either of us. As a related question, WordPress sends passwords for new users out in clear text, does this mean that the passwords are not hashed in WP? The solution must be extremely easy for the client as most are not that tech savvy.

Thanks,
Keith

force · June 13, 2011, 8:58pm

They are hashed when stored in the database. When a new user is created, the password is created & stored in memory, hashed & stored in the database, sent (from the variable stored in memory), and then original plain-text password disappears once the user creation function is complete.

As for your submission problem, just create a simple submissions form and protect it with SSL.

logic_earth · June 15, 2011, 2:24am

Lastpass has a share password feature…

vandalais · June 15, 2011, 3:19am

I didn’t know that. That would be a good solution for me to send passwords back to customers. I’m still looking for a way for them to send them to me. So far setting up a secure page with form seems the most viable. I guess what I am really hoping for is a service that did this.

So when most of you are working on a site, you just have them email the password to you? I don’t know if I’m just being overly cautious but some of you must work on some HIPAA sites.

I work on quite a few ecom sites and would imagine the transmitting of passwords in clear text would be against PCI compliance policies.

Aleksejs · June 15, 2011, 7:06am

I think that the usual practice is to change password immediately after the other party has finished working with the account.

Aleksejs · June 15, 2011, 8:34am

Also:
One way to communicate password more securely is to split in multiple parts and send each part using different channel.
Part1 = random_string
Part2 = random_string
Part3 = password xor Part1 xor Part2

Send Part1 via e-mail (as image)
Send Part2 via SMS
Send Part3 via snailMail (ok joking)

And then on other end password is recovered:
Password = Part1 xor Part2 xor Part3

felgall · June 15, 2011, 9:50pm

How do you intend to deal with clients who havve learnt rule one of computer security - Never tell your password to anyone, ever.

force · June 15, 2011, 10:12pm

Instruct them to change it after the task/job/project is complete?

felgall · June 16, 2011, 2:30am

Since they would never give it to you in the first place, why would they need to change it?

If you need to ask people for their password then you are working the wrong way in the first place.

bimalpoudel · June 16, 2011, 8:32am

I use password coral - Cygnus Productions [Password Corral - Freeware]

The .pc files it produces are encrypted and opens with a different password.
While exchanging a list of passwords, I give the entire file, and exchange the master password alternatively.

My list of passwords may include:
FTP details.
Database details
Application’s own login details
Other passwords

But, be sure, that the file contains password information of the ONLY costumer you are dealing, per single .pc file.

force · June 16, 2011, 4:45pm

Have them create an account for you? Though, they aren’t always familiar enough with their control panel to actually do that…

sguduru · July 18, 2011, 3:27am

sharing via SMS is more secure than the email clear text.

vandalais · July 18, 2011, 4:25am

Actually I found out that LastPass has this functionality. You can share an encrypted password through their site.