Secure communication - sharing passwords

Hello everyone,

this is about sharing secrets within our community. It is important for almost everyone. Sometimes we need to share a password, handover some account details or talk about sensitive data. But not everybody has a good solution at hand. Let’s discuss good and easy approaches.

Security pros encrypt their emails, use SSH keys and have secure password stores. But in reality, some secrets are sent in plain text via email or text. Here is a list of better alternatives. It starts with the most simple one. You can point someone here whenever you want that person to share a secret. They can then decide which method they feel confident with. The biggest risk is if you don’t know what you are doing.

1. Use two different channels
   Split the secret in halves. For example, you can split the password in two parts. You send one part via email and the other via text. This is not ideal, but better than sending it all together. You may find this useful if the recipient needs the password on their phone and doesn’t have a laptop available.

2. Create a password protected office document.
   Most people have some kind of office software. If you don’t, try LibreOffice. This method is good if you have a computer handy. Create a text document or a spreadsheet. Enable encryption or password protection and then put all the details in there. You need to choose a password. Sent the document and the password through two different channels. For example, email the office document and call the recipient to tell them the password verbally. Ideally, the password is not recorded. So if you get a text with the password, delete the text after you opened the office document. After you stored the information of the office document somewhere safe, you should delete that document and the related message as well.

3. Use Cryptocat
   This is a chat software that encrypts all messages securely. It aims to be very easy to use. Open a chat window with the other person and you can just paste your secrets there. https://crypto.cat/

4. Use other OTR plugins
   The encryption method in Cryptocat is called OTR. It is a lot older and there are lots of plugins to use it with other chat software and protocols. If you have friends that use XMPP (Jabber), ICQ, AIM and others (Facebook chat?), you can use Pidgin with the OTR plugin.

5. PGP encrypted emails
   This is good for sending confidential emails in general. It is also good for sharing passwords, but the chat methods above have the advantage that the chat history is usually not recorded. If you want to encrypt emails on your computer, Thunderbird with Enigmail is a good solution. Android users can install K-9 Mail.

This list is mainly a brain dump. I have not used all of the software and there is a lot I don’t know. Maybe you know some better way to share passwords. But ideally, we would shrink this list and end up with a best practice guide.

I did not include:

• Online password managers: Yes, they solve this problem, but have their own issues. And they are centralised entities not based on open source software. If two of you are using the same service and want to share a password, great, you don’t need this document.
• Password store files like KeePass. They are great to store passwords locally. But when sharing passwords, it’s more likely that the other person has a recent office version. The encryption is still strong.
• Chat apps like Threema. It’s secure, but commercial.
• Chat apps like WhatsApp. They promise end-to-end encryption, but it’s not guaranteed, not free software and this example is owned by Facebook. It might be safer than text though.

Why not have a nextcloud instance? we could have an office suite in it, password management, and basic document management. We have a few clients that use this for their businesses.

I was more looking at infrastructure independent advice. But yes, that’s an option, too. It would be at least $10 a month for hosting. What about sharing with people outside of the organisation? And it doesn’t cover the ideal case for techies: end-to-end encryption (OTR or PGP).

Check this out. We use this internally https://github.com/nextcloud/passman. It simple to invite someone to use the system. I also have plenty of server space at our colo location. We would we more than willing to spin up another instance for OFN. Sharing passwords are a pain and this is what we do with our clients. Credentials are stored with 256 bit AES. Also for messaging we use rocket.chat. Direct message are OTR encrypted if you want that.

Encrypted communication always has the challenge of getting your counter-part to use something compatible. There are plenty of encrypted email methods but they usually arrive unencrypted the other end. I sometimes use Protonmail, which also encrypts your mailbox, so that no one can see your emails (including Protonmail staff), as well as keeping the emails in transfer encrypted. But of course the recipient needs a Protonmail too.

How about forums and github? Is it not a potential security risk if anyone in the world can read detailed technical discussions and code?

No, I don’t think that it’s a security risk. It’s all about open source. Everybody can study the code and try to find security holes. Fortunately, there seem to be more good guys than bad guys. In that case it’s more likely that something gets reported and fixed than someone exploiting it.