While doing work for and with clients there are many situations when I must create a new account for someone and somehow obtain or provide a password from/to them. I certainly need to create a password, and they must know what it is in order to use the system. But if I simply e-mail it to them, it’s possible for others to read the password and use it without our knowledge. So, what can be done to deliver the password?Here is a list of methods for delivering passwords that I could possibly use:
- Email to/from them
- Phone call
- Overnight an envelope with a password in it
- Ask them to submit the password through a secure website
Usually, I opt for #4, since the end user can send a message that’s completely secure, and travels from them to myself over SSL (same encryption used by your banking websites.) When it comes to public-facing systems, like a web server, I make every attempt to NOT use passwords, since they can be cracked with enough time. Instead I opt for key pairs.
In one particular example that I ran into yesterday with a client, I was to provide access to my customer’s system for a third party. This party needed to update files on the server that I maintain on behalf of my client. Since I opted for keys to secure their access, I emailed instructions on how to generate a key pair, and to then email the public key to myself.
I received an email reply 1 day after sending this that blew me away. This person delegated the creation of this key pair to a colleague presumably because he didn’t understand my instructions (with screen-shots in them). Once the files were saved to their network share, the original person forwarded the internal email to me, intact with the public key, private key and the password for their private key! This, of course, completely exposed the key in every facet rendering it insecure and useless for its intended purpose, providing me with a decision to make. Do I throw it back at them so they can create it again properly? Do I go ahead and use the key, leaving my customer’s server exposed to anyone that may have seen or will see the email in the future? I think not.
My policy is to never allow access to a system unless I have every reason to believe the access will be secured, and that proper security precautions are understood and will be followed. I must first assess the situation, and decide if this person made a blatant error, or truly doesn’t understand the consequences of his actions. If they just don’t understand their actions, this is highly concerning… if they don’t know how to be safe with this access, how can I expect them to be safe? This is like trusting a baby to drive to the store, pick-up eggs and bacon, then come home and cook you breakfast!
We will have to see how things work out when I challenge them with their actions. I’ll be recommending that this customer put on the brakes long enough to make them think, in addition to sending them a legally enforceable document for them to sign, stating that they will protect the private key and password, that they accept legal responsibility for any access to the system using their key and that they will indemnify my client for any and all actions resulting from the improper use of this key. Furthermore, they will contact us immediately if they have reason to believe the key had been compromised.
When will people learn that security is not something to take lightly?