I'm looking for an easy (extremely) for clients to communicate their passwords to me other than clear text. I need the password to work on their site. I always tell my clients to never send them in clear text via email. The only solution I use at this point is to call the client for a password and this is not convenient for either of us. As a related question, WordPress sends passwords for new users out in clear text, does this mean that the passwords are not hashed in WP? The solution must be extremely easy for the client as most are not that tech savvy.
They are hashed when stored in the database. When a new user is created, the password is created & stored in memory, hashed & stored in the database, sent (from the variable stored in memory), and then original plain-text password disappears once the user creation function is complete.
As for your submission problem, just create a simple submissions form and protect it with SSL.
Lastpass has a share password feature...
I didn't know that. That would be a good solution for me to send passwords back to customers. I'm still looking for a way for them to send them to me. So far setting up a secure page with form seems the most viable. I guess what I am really hoping for is a service that did this.
So when most of you are working on a site, you just have them email the password to you? I don't know if I'm just being overly cautious but some of you must work on some HIPAA sites.
I work on quite a few ecom sites and would imagine the transmitting of passwords in clear text would be against PCI compliance policies.
I think that the usual practice is to change password immediately after the other party has finished working with the account.
One way to communicate password more securely is to split in multiple parts and send each part using different channel.
Part1 = random_string
Part2 = random_string
Part3 = password xor Part1 xor Part2
Send Part1 via e-mail (as image)
Send Part2 via SMS
Send Part3 via snailMail (ok joking)
And then on other end password is recovered:
Password = Part1 xor Part2 xor Part3
How do you intend to deal with clients who havve learnt rule one of computer security - Never tell your password to anyone, ever.
Instruct them to change it after the task/job/project is complete?
Since they would never give it to you in the first place, why would they need to change it?
If you need to ask people for their password then you are working the wrong way in the first place.
I use password coral - Cygnus Productions [Password Corral - Freeware]
The .pc files it produces are encrypted and opens with a different password.
While exchanging a list of passwords, I give the entire file, and exchange the master password alternatively.
My list of passwords may include:
Application's own login details
But, be sure, that the file contains password information of the ONLY costumer you are dealing, per single .pc file.
Have them create an account for you? Though, they aren't always familiar enough with their control panel to actually do that...
sharing via SMS is more secure than the email clear text.
Actually I found out that LastPass has this functionality. You can share an encrypted password through their site.