When I need to send a password to someone, I usually send all the info except the password (i.e. server and user) through a certain channel (email, IM, etc.) and the password itself (with no explanation of what it's for) by text message.
Is this acceptable or is there a better method?
The intended recipient may need to repeat the request if they don't get the message. However, you should consider that it's fairly common that people get email and IMs on their phones, so the communication may not be as separated as you might think. Considering that a request might be initiated from the phone as well, it's not all that secure.
Whilst I share some of the concerns of other correspondents, I also note an argument of pragmatism.
I have to issue a lot of passwords to people in other countries. I don't know them; I have no means of contacting them face-to-face; I can't engage a courier to hand-deliver a password each time; and the delays of postal mail (which also is by no means a guaranteed person-to-person service) are considered business-unacceptable.
So what's a sysadmin to do? I have to get passwords to people somehow, or noone will ever be able to log in.
So for some time I've done as you do. I require a GSM phone number for each validated new password (or change) request, and I SMS the password to that number; username, system addresses etc. all go through email from the ticketing system they've used to log the request. The only wrinkle I've added is to pre-expire the password, which requires it to be changed on first login. On Linux, I do this with
chage -d 0 usernameafter setting the password, and on Solaris withpasswd -f username.This means that the token isn't infinitely reusable if it's disclosed; a black hat coming across the discarded text message will only know what the password used to be. It also means that if someone else gets it first, I'll find out about it, because the legitimate user won't be able to log in after the black hat has got there and changed it first.
It's still not perfect, and there are still ways it can fail, but I have yet to find anything better. Anyone?
I think you might be surprised at just how common this practice is and realistically it's quite acceptable for a lot of cases. However, as you obviously already suspect, it's far from ideal.
Ideally the communication should be encrypted using some form of pre-shared secret but of course the very sharing of that secret presents problems. PGP/GPG is a great solution to the problem. This used to be quite common practice but as far as I can tell is not used much these days, although I can't understand why not. Last time I checked GPG was freely available for all major platforms.
You should have a way to be sure that your correspondent is the only one who knows the password:
You also need a way to know if one of the previous points did not happen and in that case, a way to deactivate the access to the protected resource.
If it is acceptable or not, it depends on the resource you would like to protect. If you just would like to protect the photos of you last holiday and you just matter that they are not freely visible by search engines on the Internet but require a password to access it, it is probably less important than an access to confidential documents of your company.
An asymmetric encryption (e.g. RSA) is probably the safest way.
Your friend sends you the public key that you will use for password encryption. Then, your friend uses the private key to decrypt it.
I've encountered this pain and decided to build a simple tool to solve this pain: http://tanin.nanakorn.com/labs/secureMessage
It uses Javascript to do RSA encryption. Therefore, your password never leaves your or your friend's machine. Also, the keys are destroyed when you leave the page.
One caveat is that, if you leave the page, you'll lose your private key... so this tool might be better for sending password over IM (not email)
Might want to consider some form of 2-factor auth. The identity validation replies earlier totally make sense and are valid concerns.
Another option I do sometimes is taking a picture of a written password, can use MMS or anything else. It isn't as easy to "detect" in case of rootkits/malware you may be trying to avoid.