45
Linux
4y

I really dont get it when people cry over "when sending password in emails".

Had a customer today that wants us to send credentials on WhatsApp instead because it is "secure" instead of email, because email is insecure... .

Comments
  • 12
    Dude has a point. WhatsApp is encrypted (supposedly) end to end, and protected by the pin, patter or fingerprinting lock if enabled. Email is easily intercepted, redirected, spoofed or otherwise compromised.
  • 2
    @monr0e someone can still take the phone, unlock it (pin codes are a joke once you have seen the person enter it), search the chats for "password", and voila.
    The only secure thing to do is to put the password into a password-database* and delete it from whatsapp. Whatsapp is an okish method of exchanging passwords as long as both sides delete it afterwards. I'd still prefer another messenger/programm.

    *NO .DOCX ON YOUR UNSECURED HARD DRIVE
  • 1
    @YouAreAPIRate well, yes In theory. You ever tried remembering a 16 digit pincode after seeing it once?

    In all seriousness, there isn't a perfect method. You're still communicating a password, irrespective of how you do it.
  • 2
    @monr0e who has a 16-digit pin code? My bosses phone doesn't even have one.

    Well, time to introduce management to pgp-parties
  • 2
    Just send me your password with base64 encoding. It's totally secured 😎
  • 1
    @YouAreAPIRate when I had a Nokia brick, my pincode was eight characters long. When I had an N97, it was 24 characters long.

    Nowadays I don't have any phone security. I don't use much social media, so there's no Facebook on here, and email is serverside and only survives one session. I consider it my own damn fault if I lose my phone, and I hate having an umbilical cord tethering me to work when I'm outside or travelling.
  • 0
    You can always introduce them to the concept of encrypted email or passwordless authentication. More work I agree, but it's more cash too.
  • 1
    Let's encrypt.
  • 0
    @illusion466 we could make services passwordless so no one will need passwords anymore
  • 1
    Last month I had to explain to a Senior developer on my company why it's a bad idea to hardcode password on the code, commit and push them to Bitbucket.

    He have 10+ years of web development. I have almost 2.

    We could/should expect this kind of thing (sending passwords via whatsapp) from non-tech people, but I feel betrayed when this kind of failure comes from someone who really should avoid it.
  • 1
    @monr0e
    Mail is secure, if the servers domains are!
  • 1
    @monr0e
    Dont forget that Facebook likes to gather info from WhatsApp also.
  • 1
    @J-2FA
    Tutanota does not have DANE lol
  • 0
    @monr0e Only in transit though, everything is stored in plaintext on the devices itself.
  • 2
  • 1
    @linuxxx
    Got nxdomain with a dig thou ;)
  • 2
    Ah yes... Good old whatsapp. I received a username by mail, password by whatsapp and instructions to use it by skype. (Mail was hmail btw)

    Customer was like: it's secure that way, cause they are different companies. The guy is "very interested" in privacy (his words) and "doesn't like to get tracked" as "they" know everything nowadays... He actually asked me what I think about VPNs a few days ago...
  • 1
    I usually send passwords to clients with privnote and make it clear they'll only be able to view it once, and that they should make a note of it in a secure place
  • 0
    Out of scope, I just love to see @Linux & @Linuxxx have a discussion, always learn something new from their discussion :)
  • 0
    @Linux so I read about nxdomain but whats "dig" ?
    The closest thing I found was this: (https://superuser.com/questions/...) but not really understanding :\
  • 2
    @Linux kind of. I've seen seemingly well built exchange servers very easily compromised before, with the intrusion going unnoticed for some time.

    As for WhatsApp, Facebook does indeed gather information from it. However, my analysis shows that this information contains things like contact numbers, analysis of messaging time patterns, locations and some other stuff. Messages themselves aren't in that bundle, although I've heard rumours about trigger phrases that disable encryption for a given time or a given number of messages based on location and user diversity, so take from that what you will.

    Back when I was an onsite admin, I brought in users to the IT office to facilitate password changes. For a small team or a small org, that's a lot simpler.
  • 1
    @monr0e
    I am am pushing for s/MIME, that would be the best in my oppinion.
  • 1
    @Linux be prepared to be inundated with "its not working!" And "I'm not in the right AD group!". S/mime is great, but its tough to implement.

    One good thing though, is that with it you'll be able to get those keyring things that do the rotating 2FA thingy. Can't remember the name of them for the life of me...
  • 1
    @YouAreAPIRate mine is 17 chars...
Add Comment