ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

*Email privacy and security survey*

<< < (3/7) > >>

Vurbal:
I use Thunderbird and have Enigmail installed and configured. However there aren't too many circumstances when it's actually useful. Only 2 people I communicate with via email use it themselves.

One of them always signs his emails - not surprising since he also wrote and administered the first public PGP keyserver. I don't encrypt emails I send to him, but I do sign them.

The other is Mike Masnick. I've started encrypting all my messages to him just because I figure he's pissed the NSA off so much they probably read his email on general principle. I'm not sending anything I expect them to care about, but that's sort of the point. If there's even an outside chance they will waste resources cracking the encryption it seems like the responsible thing to do.

Stoic Joker:
I'm in favor of the single use ephemeral "reset" password scheme.-Stoic Joker (August 16, 2013, 03:52 PM)
--- End quote ---
What is this?-wraith808 (August 16, 2013, 03:58 PM)
--- End quote ---

A really bad (rushed...) description of something we've all seen many times?

Most sites if you click the lost password link send a reset password link to the accounts Email address that typically expires in 24 hours or less and allows the user to change their password to something that isn't lost.

I've done a variation on that for clients (in a pinch) if I know they are sitting there waiting/trying to login. I log into the server, set their account to require a pw change on next login, and then Email the password to where ever they would like because it ain't gonna be any good in less than 60 seconds anyhow.

I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)?? So it's really just best to minimize the exposure window by keeping the timeline as tight as possible.

app103:
I've done a variation on that for clients (in a pinch) if I know they are sitting there waiting/trying to login. I log into the server, set their account to require a pw change on next login, and then Email the password to where ever they would like because it ain't gonna be any good in less than 60 seconds anyhow.
-Stoic Joker (August 16, 2013, 06:54 PM)
--- End quote ---

My situation is slightly different, in that I need Grandma Dum-Dum to be able to send the info to me, not the other way around. And if after receiving the info, I go and change her passwords on her (because she sent them insecurely), and she can't log into her cpanel or ftp, she is going to panic and think I have hijacked her website instead of securing it for her. I'd like to be able to have her give the info to me securely, use it to complete the job she hired me for, then suggest she change the passwords when the job is done. If at that point she doesn't take my advice, at least with it being me that has the password info, with my knowing I won't do anything harmful with it (if I can't trust myself, then who can I trust?), I won't have to worry as much.

I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??
-Stoic Joker (August 16, 2013, 06:54 PM)
--- End quote ---

Bingo! Now you fully understand my problem.  :(

Renegade:
I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??
-Stoic Joker (August 16, 2013, 06:54 PM)
--- End quote ---

Go scuba diving in an underwater cave with a grease pencil and board to write on. Oh, and a good memory as you don't can't do this twice. Erase the board after you're done then set charges and blow up the cave after you leave - NOT before you leave! Important point there - AFTER! Not before! ;) ;D

app103:
I really don't think there is a truly secure way of sending passwords. You can try encrypting it sure...but then what do you do with the encryption key (Infinite loop anybody?)??
-Stoic Joker (August 16, 2013, 06:54 PM)
--- End quote ---

Go scuba diving in an underwater cave with a grease pencil and board to write on. Oh, and a good memory as you don't can't do this twice. Erase the board after you're done then set charges and blow up the cave after you leave - NOT before you leave! Important point there - AFTER! Not before! ;) ;D
-Renegade (August 16, 2013, 08:27 PM)
--- End quote ---

Never underestimate the intelligence of dolphins. I am pretty sure they would hack your website, if given the chance...and your password.


He's laughing because he knows it's true!

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version