this is about sharing secrets within our community. It is important for almost everyone. Sometimes we need to share a password, handover some account details or talk about sensitive data. But not everybody has a good solution at hand. Let’s discuss good and easy approaches.
Security pros encrypt their emails, use SSH keys and have secure password stores. But in reality, some secrets are sent in plain text via email or text. Here is a list of better alternatives. It starts with the most simple one. You can point someone here whenever you want that person to share a secret. They can then decide which method they feel confident with. The biggest risk is if you don’t know what you are doing.
Use two different channels
Split the secret in halves. For example, you can split the password in two parts. You send one part via email and the other via text. This is not ideal, but better than sending it all together. You may find this useful if the recipient needs the password on their phone and doesn’t have a laptop available.
Create a password protected office document.
Most people have some kind of office software. If you don’t, try LibreOffice. This method is good if you have a computer handy. Create a text document or a spreadsheet. Enable encryption or password protection and then put all the details in there. You need to choose a password. Sent the document and the password through two different channels. For example, email the office document and call the recipient to tell them the password verbally. Ideally, the password is not recorded. So if you get a text with the password, delete the text after you opened the office document. After you stored the information of the office document somewhere safe, you should delete that document and the related message as well.
This is a chat software that encrypts all messages securely. It aims to be very easy to use. Open a chat window with the other person and you can just paste your secrets there. https://crypto.cat/
Use other OTR plugins
The encryption method in Cryptocat is called OTR. It is a lot older and there are lots of plugins to use it with other chat software and protocols. If you have friends that use XMPP (Jabber), ICQ, AIM and others (Facebook chat?), you can use Pidgin with the OTR plugin.
PGP encrypted emails
This is good for sending confidential emails in general. It is also good for sharing passwords, but the chat methods above have the advantage that the chat history is usually not recorded. If you want to encrypt emails on your computer, Thunderbird with Enigmail is a good solution. Android users can install K-9 Mail.
This list is mainly a brain dump. I have not used all of the software and there is a lot I don’t know. Maybe you know some better way to share passwords. But ideally, we would shrink this list and end up with a best practice guide.
I did not include:
- Online password managers: Yes, they solve this problem, but have their own issues. And they are centralised entities not based on open source software. If two of you are using the same service and want to share a password, great, you don’t need this document.
- Password store files like KeePass. They are great to store passwords locally. But when sharing passwords, it’s more likely that the other person has a recent office version. The encryption is still strong.
- Chat apps like Threema. It’s secure, but commercial.
- Chat apps like WhatsApp. They promise end-to-end encryption, but it’s not guaranteed, not free software and this example is owned by Facebook. It might be safer than text though.