Wednesday, August 22, 2012

Security tip: don't send passwords over email or IM

I always insist that people not email passwords or other sensitive data to me, or use instant messaging. Chances are good that your email or my email will someday get hacked, and one of the first things an attacker will do is search your mailboxes for words like "password", "account ID",  and "credit card number".  It's not a wise risk to take.

Here's what I do instead:

KEYVAULT

I usually ask people to use Keyvault which lets you send encrypted, short-lived, self-destructing messages accessible only by a unique key. The recipient receives a message form Keyvault with a link to the message referencing the unique key.

Of course this requires you to trust the people who make Keyvault to not be a bad actor. I'm not so worried about this because the service was recommended to me by a friend, Scott Paley.

You also have to trust Keyvault to handle their security properly, to really delete the messages after the self-destruct time limit expires, and so forth. So for the most sensitive data, I recommend sending the most sensitive data out-of-band, using one of the below methods.

This is a tradeoff of course; there's still a risk in trusting Keyvault, but it's a lot less risky than trusting your email provider.

I've thought about building an open-source version of Keyvault that comes with instructions for deploying it to your own personal Heroku installation, so that you don't have to trust anyone else.

SMS

This isn't as secure of an option as it once was, now that people can back up their smartphones to the cloud or to a computer, but if you don't identify what the password is in the text message I feel it's fairly secure. The way to do this is send an email that says "my account ID is ####. I'll text the password to you shortly." Then you just sent a text with your password, by itself.

SNAIL MAIL

For really sensitive stuff, like the passphrase to unlock your company's PGP keys, I write the sensitive data on a piece of paper, stuff it in an envelope, and mail it to the recipient, making sure they know to keep the envelope in a safe place.

3 comments:

TechScruggs said...

When it comes to reasonably secure, I usually fall back to Skype.

I know there are stronger forms of encryption, but everyone has it and it seems 'secure enough'.

What are your thoughts on using Skype as a secure medium?

Unknown said...

Mike - our company developed Key Vault for exactly this reason. Thanks much for the shout out! I love your idea of open sourcing w/ a Horoku installation. We're pretty busy right now, but hopefully we'll be able to give it a little attention soon. We have some additional features we'd like to build in as well. If you ever wanted to help with moving it to an open source project and putting together a Heroku installation give us a shout!

Kate Bladow said...

Great post, Mike. I should have realized (but didn't connect the dots yet) that email account hackers would search for terms to find passwords in your email account. I don't keep important passwords there, but I know that others do, and it's another reason for them not to.

Personally, my next step is to start using KeePass to store my passwords instead of my head. I should have moved already, but because I need information on multiple devices, I need to do some reading first to figure out how to make it work best.