The problem with the way you’ve been sharing passwords up to now
Sometimes, you need to give someone else a password to an online account of yours, and you might not have access to a sophisticated encrypted password sharing solution to do it. The majority of people don’t think twice before shooting off the login via email. In this post, we’ll examine why that’s a disaster waiting to happen and how to share passwords in a safer way.
Consider: If you send a username/password combo via email or skype or facebook messenger or text message, it might be safe now… But if you OR the person who received it ever lose control of their account at any time in the future, the intruder now has everything they need to use the login you sent, too. It’s all still there in your histories.
People lose control of their email and messaging accounts on a regular basis, and hacking is NOT the only way that it can happen. Sometimes, people simply forget to log out of their accounts at the office, and someone slips into their seat while they’re in the restroom… They might leave their laptop or phone in a coffee shop. Maybe their laptop bag is snatched off their shoulder in a crowd.
Awareness of digital security is on the rise, but even among those who understand the dangers of sending a username and password together via email, text or messenger, most just don’t know what a safer alternative might be.
How to share passwords safely: a simple solution
Recently, a client of ours sent me a username via email and the password to the account via SMS text to my phone. I was so excited! This was a non-technical person who understood that there were dangers associated with unencrypted usernames and passwords existing in the same space together and was taking action to reduce their risk. This way, I would have to lose control of both my email AND my phone at the same time for her account to be put at risk. This is a great start.
Login sending rule #1
Never let your unencrypted username and passwords exist in the same place, such as within the same email or text.
Login sending rule #2
Use onetimesecret.com for sending the password. This simple website generates a link that will work only once, destroying your secret the moment your recipient looks at it. This gives your intended recipient the opportunity to move the password into a properly encrypted storage solution. And if their email is broken into at some point in the future, there will be no old password reveals just laying around for the intruder to peek at!
When using onetimesecret.com, DO NOT put both the username and password together in your secret: this violates rule #1, and addresses common concerns such as “What if someone else manages to guess and use the link before my intended recipient?” or “What if one time secret is hacked or run by people I can’t trust?” Even in a scenario like that, the person who stole the secret would have only a meaningless jumble of numbers and letters, with no indication as to what site to enter it into or what username it might match too.
Login sending rule #3
Ask that whoever you sent the information to store that password with encryption so that even if someone does hack their account, your logins still have an extra layer of protection on them. If you can, make people you share your login data with sign something agreeing that they will handle your data with the care to security it deserves!
For more on password hygiene, digital security and keeping your business assets safe, check out our other posts on security.
Still have questions about how to share passwords safely? Leave it for us in the comments!