Home / server / Questions / 39828
Accepted
Jim B
Asked: 2009-07-14 04:47:35 +0800 CST

what's a secure way to send passwords over the internet?

  • 772

I'm looking for the best way to send passwords over the internet safely. Options I've looked at are PGP and encrypted RAR files. There are no real parameters other than getting from point a to point b over the internets without too much risk.

security password

12 Answers

  1. Best Answer

    PGP or another asymmetric encryption method would sound like the way to go ..

    1. both sides must publish his/her public key
    2. sign your message with your own private key
    3. encrypt with the other's public key
    4. transmit the file
    5. only the other's private key can decrypt the message
    6. your public key can be used to validate the message

    => secure & private

    • 25

  2. Any mechanism that uses asymmetric keys (like SSL or PGP) is good. Basically, it means that you encrypt the data (password in your case) with other person's public key, and the only way to decrypt it is to have access to the private key (which only receiver does).

    The only thing to worry about PGP is who do you trust, because spoofing can easily happen when people sign their own keys.

    Read the web of trust section in the wikipedia entry for PGP for more info about that.

    • 9

  3. What about calling the recipient with Skype?

    • 8

  4. You should also make sure the receiver has to change the password before being able to use whatever service it's for - authenticating the change with the sent one-time-password. This will provide further protection against theft - and/or slightly better chances at discovering one if it required the thief to change it, leaving the true user with an access denied prompt ^^

    • 2

  5. Send a one-time-use link, which links to a page (using SSL) where the password can be created. If anyone else discovers the link, it's likely too late for them to use the link. You'll need some kind of reset ability, just in case the link is intercepted and used before the intended recipient.

    • 1

  6. If you are on windows, you might want to listen to Security Now 201: SecureZip

    AFAIK SecureZip implements/automates the asymmetric encryption approach I described above.

    • 1

  7. You might want to try NoteShred. It's a tool made pretty much for your exact need. You can create a secure note, send someone the link and password and have it "shred" it self after they read it. The note is gone and you get emailed a notification to let you know your info is destroyed.

    Its free, and doesn't require any sign up.

    https://www.noteshred.com

    • 1

  8. If it's a one-off thing, you can use my tool: http://tanin.nanakorn.com/labs/secureMessage

    It uses Javascript to do RSA encryption. Therefore, your password never leaves your or your friend's machine. Please see FAQ in the above page for more info.

    To do it regularly, you'd be better off using PGP or SSH keys, so that you don't have to generate a new pair of keys every time.

    • 1

  9. I tend to use synchronous methods for password transmition. Often I just IM someone and tell them that the password they are waiting for is xxxxxx. That way there is no identification of the server that the password works on and I can send it when I know the person is sitting there to change the password immediately.

    • 0

  10. You don't give a lot of details regarding what's needed, but I keep my passwords in a Keepass file that is stored in a Dropbox.

    • 0