A good life lesson:
1. DON'T DELETE FILES YOU MAY WANT TO RECOVER

And if you DO delete them and then recover them, then
2. DON'T SEND THE RECOVERED FILES TO A·N·Y·O·N·E

Today I found a lost µSD card in the street. I did what every sane person would do -- plugged it into my laptop :)

There I found a directory with recovered pictures. I figured, some of them may contain the author's info in metadata, so I ran a quick plaintext search for @gmail.com.

Turns out, inside some of the recovered picture files I could find embedded company director's emails in plain-text. I mean, open the picture with a text editor and read through those emails - no problem! And these emails contain some quite sensitive info, e.g. login credentials (lots of them).

Bottom line, if you delete and recover your files, then do your best to keep them close: don't share them, don't lose them. You might be surprised what these recovered files may contain

Wait... how do you open the picture as a text? Why?

Also, that's one more reason to never ever ever EVER EVERRRR send any passwords/secrets via email

@iiii `less -L image.jpg`

why? to read the plain-text data mistakenly embedded inside the image during file restoration :)

@netikras so it's a text file mistaken for an image?

@iiii No. It's a valid and properly working jpg image, with text data buried inside.

Steganography

@netikras I would agree, but no :)

How else I should communicate to a consultant a 45 characters long password for the database ? Dictate it 1 letter at a time ?

@NoToJavaScript send half through email, half through an encrypted chat. Send it as a password protected archive with a simple (yet still hard to brute force) password. Send through a communicator with built-in self destructive messages

@NoToJavaScript Oh dear, I shouldn’t transmit my database password in cleartext and have it stored unencrypted on someone else’s servers? Wherever shall I do?

Really.

@NoToJavaScript
- vault
- sms

@netikras ah, i see. anyone really using it as a valid technique for info concealing without a layer of encryption?

@Root OK.

So how do you share it ?

Specially that there is a whitelist and password without whitelisting cliernt won't matter anyway.

@netikras lol.

Don't have phone numbers.

Vault ? You'll need to give acess to a vault any way !

Good idea tho. IU'll look into it

@NoToJavaScript There are services dedicated entirely to this, like Egnyte. (Best for corporate usecases.)

Or you could transmit the password via Signal or some other end-to-end service. Super easy.

You could also email them a password-protected archive and call them to tell them the password (or use some other service disconnected from their email). This is the easiest for both parties.

You could instead have them download the archive over SFTP given temporary credentials. Same as above but a bit safer.

You could of course also hand it to them in person :)

Or you could treat it like an API key and have a website show them the password once and only once.

The point is there’s lots of ways around sharing it in cleartext. But since it’s a password they cannot change, and it grants significant access, you really do need to handle it with care to prevent exposure. Remember, most exposed credentials are caught by automated scripts, and many attacks are likewise automated.

The white list is an exceptionally good second layer, and limits (but does not exclude!) the usefulness of the intercepted password. A bad actor could still utilize it with sufficient effort.

(Of course, temper your choice with the associated risk.)

@NoToJavaScript If I have to, I prefer sharing secrets over SMS. If I can't, then I use 2-3 different channels to split the password, e.g. half the passphrase via messenger, another half - via email

@iiii I'm pretty sure some people do use that. I personally don't. There are simpler ways to store info :)