Sometimes it is inevitable to send passwords and credentials to a counterpart who needs access to some kind of management tool because there is not extended and secure user management available.
I always just sent the credentials with the login link. Now imagine what this means: A potential scanner or crawler could find my the credentials combined with the login link in one email or if the email gets accidentally forwarded there is also the full information attached including who sent it: Me.
Now I started to use some sort of 2 factor communication:
- Write the credentials in a Zip file and save it with a password.
- Send the protected Zip file via Mail to the counterpart.
- Send the password over a different channel, e.g. WhatsApp, another mail, a phone call or a small piece of paper.
- Do not mention the original Mail with the Zip file in the password message.
What does this mean?
- Somebody unauthorized would not know what the password is for.
- The password for the Zip file (sent via WhatsApp) is in a different system than the Zip file itself (sent via Mail), thus hacking one system does not bring anything.
- The password is not stored in plain text and does not get multiplied by every mail forward.
- This method adds another layer of security because now two systems would need to be compromised.
- It pushes others to also use this system and acts as a reminder to not just forward mails with passwords but to also use the second communication channel because one would have to rewrite or at least edit the mail with the password in order to get everything into one insecure mail.
I got on this topic last time when I received credentials via mail and the password via WhatsApp. In the first moment I took this for granted and realized only a few days later that this is pretty genius. It is not the most secure or absolute perfect solution but it does add a layer of security to communication and this is what security is about for me.