Send a password over email
June 28, 2008 5:14 PM   Subscribe

Send a password over email (to a non-techy client) without compromising its security.

I have a web-design client whom I need to send a Paypal password to. I have worked to make this password secure and would like to avoid sending it in a plain text email over the interwebs. How can I send it without compromising its security?
posted by bjtitus to Computers & Internet (21 answers total)
posted by special-k at 5:24 PM on June 28, 2008

or simply call him and tell him the password?
posted by special-k at 5:25 PM on June 28, 2008

Multiple people need to know the password so calling would be difficult (and they won't share it with each other well).
posted by bjtitus at 5:26 PM on June 28, 2008

Save as an image and embed in an html email?
posted by suedehead at 5:26 PM on June 28, 2008 [1 favorite]

Tell them over the phone. Even in George Bush's America, that's still remotely more secure.

Only way to send it safely over email would be to encrypt it, and trying to step non-techies through using something like PGP is a headache.
posted by qxntpqbbbqxl at 5:26 PM on June 28, 2008 [1 favorite]

Post it on a webpage?

"Bob, I have temporarily put the password on: - I will delete it in 8 hours."
posted by SirStan at 5:28 PM on June 28, 2008

In these circumstances I generally send the login and password separately, and both separate from the URL they apply to. It's not massively secure but a lot more secure than just emailing the whole thing.
posted by unSane at 5:38 PM on June 28, 2008

Contaminate the password with information that you both shared. For example, multiply it by the street address of the bistro in LA where you shared a coffee. Tell him this on the phone, then email the contaminated password. He divides by the address, and presto!
posted by weapons-grade pandemonium at 5:51 PM on June 28, 2008

Or simply email the code and give him the factor on the phone: "Divide the number in my email by 56."
posted by weapons-grade pandemonium at 5:58 PM on June 28, 2008

I don't suppose you can give him a password, and then have him immediately change it?
(He would then obviously give you the new password over the phone)
posted by niles at 6:11 PM on June 28, 2008

Snail mail? Leave off what it applies to, but it might work if time-sensitivity is not a factor. Follow up with an e-mail to ensure they get it (or certified mail?).
posted by toaster at 6:17 PM on June 28, 2008

From reading way too many spy novels:

Try a book cypher? You know, like agree to a book and a page over the phone, then email him a bunch of numbers: 1 is the first letter on the page, 2 is the second, etc.
posted by Comrade_robot at 6:21 PM on June 28, 2008

Sign up for a free hushmail account.
posted by hooray at 6:38 PM on June 28, 2008

This is what snail-mail is for. Take a page from the banks and send it in a thick envelope with some kind of noise pattern printed inside to make it hard to read without opening.

Use email to tell them it's coming and request acknowledgment of receipt.
posted by grobstein at 6:51 PM on June 28, 2008

I'm surprised no one seems to have written with the "correct" answer. Encryption.

Here's a free option:

Download the software, test it out yourself. Write up simple instructions on how to install it. Then encrypt your message, send it to the clients. Presto.

It's the correct way to go about sending sensitive data. Plus, if they're your clients, the smart ones will be impressed.
posted by ceberon at 8:18 PM on June 28, 2008

Well, qxntpqbbbqxl did suggest encryption. But that depends on how "non" your non-tech-y recipients are. "Simple instructions" aren't going to cut it for some people, unless you're standing there next to them saying "now do step two. No, see, right under step one. The one you just did. At the top of the page."

It may be the correct way, but it's unlikely to work. Call them.
posted by hades at 8:26 PM on June 28, 2008

2 pieces of info. Email saying: the password will be a word I tell you on the phone, followed by the number 907. Then call and give them the word jello, for the password jello907.
posted by theora55 at 8:31 PM on June 28, 2008

i dont know if this is secure enough, but why not zip the text file (and use a zip password on the file, like the client's date of birth or something).

along similar lines maybe more secure, use locknote. Standalone (no installation) encrypted text editor (with aes 256bit encryption). type in the paypal password into locknote, use the client's date of birth or something as the password for the locknote, send the locknote file to the client. On the receiving end the client merely double clicks it, enter the locknote password, and see the text file. (so they dont have to mess with pgp).
posted by jak68 at 8:32 PM on June 28, 2008

Wait... you're worried about security of a password, but you're sending it to multiple people?

Something doesn't add up.

But it sounds like you're being paranoid about how often email is evesdropped.

N'thing snail mail. The cost of a stamp is cheap compared to your idea of security.

If you can't mail it to them (it would take too long) then use a pair of emails. Send one largely innocuous email, then send another that uses something from that in the password.

For example: The code you need is "123456abcd" without the quotes, plus the first letter of the first three words of my last email (case sensitive).

For bonus paranoia don't use the word "password" in the email so someone's automated email snarfer doesn't get tripped.

PGP is the right answer for the right audience. (ie: a reasonably technical one). If they're the usual Office and Outlook crowd PGP is not worth the trouble, even if they're otherwsie smart people. (he says, from personal exasperating experience.)

Or rot13 it and tell them to enter the password you send here to decode it. (Also in two emails, one telling them to rot13, the other with the encoded password.)
posted by Ookseer at 8:52 PM on June 28, 2008

Option one. Encrypt the password in a zip file. Make the password of the zip file some shared information. For example, tell them to decrypt the zip file using their SSID as a password.

Option two. Install Skype on everyone's machine. Tell them you will only send passwords through Skype. Skype is the only application that I know of that offers end-to-end encryption out of the box, with no configuration whatsoever.
posted by gmarceau at 10:22 PM on June 28, 2008

I'm a bit confused - you want to send an important password securely, yet also readily distribute it amongst lots of people? I don't understand why you can't just phone the client and make it their responsibility to distribute the password however they see fit, that's how it'd normally work in any sensible situation and means you're less liable for blame if something does go wrong.
posted by malevolent at 12:11 AM on June 29, 2008

« Older True or false: blonde hair will regrow darker if...   |   Not so itsy bitsy. Newer »
This thread is closed to new comments.