When dealing with passwords for both our own systems and third parties, it is critical that we handle them correctly and securely.

Never transmit credentials in plain text such as included in emails, tickets or even Skype messages.

The primary reason for this is that those forms of communication are inherently not secure and can easily be intercepted by malicious third parties.

Verbal communication

Providing credentials verbally either over the phone or in person is the preferred method of sending a password.

Encrypted ZIP archives

Credentials can be saved as a text file and added to a password protected ZIP archive.

The password for the ZIP archive should be different to the actual password that is being transmitted.

The ZIP archive can then be sent via any medium.

The password for the ZIP archive can be sent insecurely via any medium as long as it isn’t the same medium that was used to send the actual archive file.

For example, the ZIP archive could be send via email and the password for the ZIP archive sent via Skype or verbally.

One Time Secret

A service called One Time Secret provides a way of sending a password separately from any other contextual information such as usernames.

The service will give a secret URL which when accessed will reveal the sensitive information. The URL can only be accessed once, after which it will be deactivated.

A lifetime of 1 hour should be used to reduce the chances of a malicious third party being able to load the URL before the customer.

For example, if we had “Username” and “Password” as a username and password, “Password” would be entered into One Time Secret.

The generated URL can then be sent to the customer insecurely along with “Username” and any other required information.

Confirming Credentials

Sometimes it is necessarily to confirm with a customer that the credentials we have are correct (i.e. for FTP access to a server).

In these scenarios you must do either of the following:

  1. Ask for the credentials to be reissued and/or resent.

  2. Confirm the credentials verbally.

It is inappropriate to send credentials original provided by the customer back to the customer at a later date.