Hello community. Looking for input on how to securely share logins (not files) from a third party to me. Think business level stuff like admin for a web site or a Saas tool. This is NOT highly sensitive data, yet important to keep secret from service providers, passive attacks, public exposure.
The situation is that I have business customers (B2B, B2C) who share credentials with me for business purposes. Low security level. Some use LastPass so that (I think) is more secure. However, many customer are less tech savvy or have little knowledge of the risks sending logins via email (big cringe).
I have done some research. There are sites like https://privnote.com yet there is no guarantee they are storing things securely or destroying the note on their end.
What would you do to share credentials when you have a lower tech friend (or parent) that isn’t going to install an app on a phone or install a program on their computer? How do you balance security and keeping-it-simple?
I’d appreciate advice. I’m open to running something myself as long as it isn’t too technical. (I know that’s relative.) Still, compelled to write that because much of what is in these posts are “beyond my current pay grade.” Learning Thanks!
There are tons of approaches to this. Personally I’ve cycled through the following options at different time periods, I’m sure other people have found other techniques they can share:
Signal or another E2EE messenger’s destruction feature. Very convenient & generally secure. Also guaranteed to wipe the data from both ends.
Similarly, some email providers like Tuta/Proton offer auto-destruction if email is the only option.
You can have a zero-knowledge shared-account of some sort. Bitwarden I believe allows multiple users, or you can repurpose a tool like Cryptee or CryptPad & share account credentials so you can mock “collaborate” on a file to share credentials. CryptPad actually has native collaboration/sharing options if you wanted to just strictly use CryptPad w/ multiple users in a team. (no need to share an account) I find this all kind of messy though for something as simple as sharing a password.
The best thing to do is find a way to share this information so that the information itself is secure before touching a service. This means using something like a KeePass database (which is an encrypted file itself) - just an extra precaution if you want to eliminate the need to trust whatever service you end up using. Sending a plain-text password over the internet will inevitably require a layer of trust with whichever tool you choose, so bypassing that could be a great option.
Any tips for sending credentials when you can’t talk to the other party in-person to communicate how they should open the encrypted message you send?
For example, I send an encrypted email via Proton Mail with some login credentials, but you need to send the password to the email somehow as well. It seems like you need to establish an encrypted connection first so that you can send sensitive info like this back and forth.
For friends, you can just as easily use Signal, but I don’t think that would work in a professional context based on your relationship with the other person, the question of obtaining their phone number, and the patience they may or may not have with a ‘paranoid’ solution.
This is a problem, and it’s the reason public-key cryptography like PGP was created in the first place, to establish an encrypted channel without sharing secrets. Without PGP you have to establish some out of band way to share that password (i.e. not over email, obviously), so you basically have to move to some other form of instant messaging anyways. This is one reason I would just discourage the use of email for person-to-person communications entirely, there isn’t a great way to do it securely at all:
There are a number of instant messengers you could choose to use which don’t share your phone number, like Session or Matrix.
Do you need to share credentials with others securely or only receive them securely?
If you’re only receiving credentials the best way is probably to self-host some type of web form that encrypts messages sent to you. There’s a bit of a technical burden on your end then, but that is the tradeoff for having a system that absolutely anyone else can easily use, since all they have to do is visit a link.
If you use PGP for email there’s a number of examples out there on how to make a web form which encrypts a message with your PGP public key and emails it to you. For example, if you have a WordPress site you could use a plugin like wp2pgpmail to create such a form.
For personal use, Signal is easy because more than likely I know the other person already and we’re probably talking via SMS. Maybe I can’t convince them to use Signal on the regular, but if I need to send a password I think it’s reasonable for them to get Signal for that transfer.
In a business context, I could potentially do the same, but if you’re in a position at work where that would be awkward or inconvenient for the other person, it’s a tougher sell. The other person may put up more resistance and I, depending on my role and their role, may not even want to suggest that as an option.
Something like working with PGP signatures sounds good on paper, but unless you’re dealing with tech savvy people that probably won’t work. I’ve installed Linux and even I haven’t gotten around to learning how that works, so odds are that someone in a business context would run into the same issue. You basically have tech normies dealing with sensitive company or customer data. I don’t see how sending credentials can be sent securely without support from an IT person in terms of training and providing the tool.
Or I should say that I don’t know of any solutions but would like to!
Hi @InternetGhost , I want to commend your line of questioning here because it describes my situation with customers – folks who are unlikely to commit to adding Signal to their phone. I am interested to see where this thread goes.
I imagine one possible solution for your case, although I don’t know if that solution already exists (I think keybase.io already does that, however I’m not sure if the user sending you the data can do that from the web and without having to signup).
It would be a web app. It should work like this:
For the user sending the data, it would require a file to upload (or he could write a message that would be transformed into a text file).
It would also be required a public OpenPGP key, two possible options:
You would send him your public key through any way you prefer. The user then would have to go to the web app and attach the key.
You would attach the ID to the URL of the web app (just keeping it simple for now, but the app could allow you to just paste and then give you the link to share), something like this: appname.com/share?key=<KEY-ID>. And share that URL with the user.
This option would be easier to the user, since he wouldn’t even know there’s a key involved in the process. He would just open the link in his browser and attach the file. The web app would take care of getting the public key from the service based on the KEY-ID.
The web app would locally (in the user’s browser. The file wouldn’t be sent to any server unencrypted) encrypt the file using the public key.
I see two options here, would go for the first one for simplicity sake:
The web app would send the encrypted file to a third party service like filester.sh, get the link and present it to the user.
The web app could store the file in a server and create a link to download.
The user would send you the link to the encrypted file.
You would download it and decrypt with your private key.
As I said before, I don’t know if such a solution already exists. Personally I don’t have the time to develop it now, but here’s the idea if someone is interested…
You can also encrypt using a preferred method and send it that way. B64 to Hex to some other cipher, etc. The encryption doesn’t matter as long as only you and the recipient exchanged the decryption method. It doesn’t allow for self-destructing messages, but those aren’t really useful for sensitive information anyways because screenshots and copy/paste exist.
Signal is a great resource for messaging back and forth, as is it’s counterpart, Session. The benefit of Session is the app is not going to require a phone number, email, or other PII. You can create an account, encrypt the password/login details, then send the raw text to the recipient. I use the method all the time for encrypting passphrases to clients, then uploading the text to a one-time-pad (OTP) that does solve the self-destructing matter. Services like Riseup offer these one-time-pads that have a shelf life of around 12 hours (https://share.riseup.net/) or you can use another one, or you can create one yourself which is available open-source to all.
Zerobin is another option that does offer burn-after-reading and the source is open to all. This is commonly referred to as a dead drop. The technology and encryption behind OTPs are cryptographically unsolvable without the ciphertext and one other unknown.
I think self-destructing messages are still useful for the folks in our lives who mean well but who otherwise aren’t as security conscious. If I send credentials to my mom, I’m not worried she’s going to screenshot or copy it somewhere else, but I don’t want it just sticking around on her phone either.
Of course, if they’re credentials that the person needs often and they’re tired of their privacy-conscious friend or relative deleting it, it may find a new home in a notes app, lol. Security takes clear communication sometimes.