Secure way to transmit passwords

Hey LTS guys, what do you guys use for customers to share a password with you securely? I’m not wild about texting or emailing passwords for obvious reasons and I stumbled across OneTimeSecret.com. Any input on this?

Hmm, theoretically, any encryption mechanism that the end user can handle.
If email, maybe PGP / GPG.
Using some random online solution is asking for trouble. To play with your friends, it may be ok but for a business solution, seriously not.
It’s better to do this based on protonmail. In extreme situations, you can even use the veracrypt container as a bucket to carry data and send people in various ways email / www / ftps / p2p.

If I were to implement such a communication channel, I would think about it, which is simple and feasible for the end user.
The matter of what functionality you need exactly. Whether it is to be a double-sided channel or just one directional to provide text to the user. Is it supposed to be secure password transfer. You can even send a keepass or other database.

In one place I used the code card in connection with protonmail.
I create an encrypted message with time limit and password on protonmail. This url is sent to the user using a different e-mail account. The user is in physical possession of code cards with assigned item numbers. Using sms I sent the user a number which on a given day is responsible for a given url.
The customer receives a text message with the number 54. He checks the code card for the combination in section 54. Then he uses the codes from section 54 as the password to decrypt the message from protonmail. Each message has a 24 hour time limit and individual code.

2 Likes

I have used this before
https://yopass.se/#/

It works well, can be self hosted and it’s not that difficult to use. Also, to add some security to this, a phone call and giving them three characters over the phone add’s some entropy.

2 Likes

We store the users mobile number in their account, we text their mobile number for a verification code.

New around here :slight_smile:

I wrote a tool just for this that does the job for us: https://github.com/domkirby/dk-pass-push

It’s pretty similar to onetimesecret.com - it encrypts each secret with a unique key and with the hashing, you cannot find which secret is which without knowing the URL.

1 Like