Security's Everyman

Security's Everyman

Monday, July 16, 2007

You know better than that

I received a password protected document from a security company that we do business with. I did not know the password so I sent him an email letting him know that. I expected to get a phone call but to my surprise and disappointment I received an email with the password in plain text. Now the document was not of a highly sensitive nature but it's not something that is meant for the public eye.

Of course the sensitivity of the document is not the issue here. The issue is that the password was sent via email. An worse than that is the fact that it was a security professional that did it. Someone who really should know better. I realize that the chance of someone actually sniffing out connection at that moment and pulling the password is remote and that it is even more remote that he would have been able to capture the earlier email with the document attached to it.

It's just one of those things that gets my goat just a little. Of course shortly after I started writing this I received another email with a password in it. This one was from a friend and Security Professional. What am I gonna do with you guys! :)


rybolov said...

Thus proving the age-old adage that cryptography is easy to secure, it's the key distribution that will kill you every time. =)

BTW, the password is "prettysecret". But it's just a secret between the 2 of us, OK?

Beau Woods said...

It happens all the time. Also, many people seem to think that putting a password on a zip file is "encryption". It isn't. Get PGP Desktop and use a PGP Zip.

Kees said...

I had a similarly mind boggling comment a few days ago. While working at a customer, I needed access to a machine on which we were running some tests. I did not have a password, so I asked for one to be sent either in a pgp-encrypted mail or via an SMS text message that /just contained the password/. The response that i got back (in plain text) was:

Sorry, we do knot know what PGP is, but the username/password to is xx/yyy. We have also sent it to your cell phone number at 06xxxxxxxx.

1) A security consulting organization that does not know what PGP is?!

2) Username, password AND host name in plain text in email

3) Username, password and host name in plain text SMS message

4) My cell phone number in the same message.

All in all, my level of appreciation for this company dropped significantly.

LonerVamp said...

It's kinda like getting emailed a password to a system, it happens all the time.

I don't mind it so much if it doesn't also include the username and what the info is used for (site XYZ).

For instance, I keep my password written down in a journal of mine that I keep either in my bag or home at all times. But the passwords are not qualified. You can see the password JHER54JHher&#m, but God help you in figuring out what I use that password for and whether it is even in use anymore since I rotate them. :)

Chris Carpinello said...

mantra comes to mind: Every single interaction is an opportunity to do marketing, not a chance to cut costs.

Chris Carpinello said...

The href link in my previous comment got munged by Blogger's moderation software. (It looked fine when I previewed it prior to submitting.) The comment is supposed to start with "Seth Godin's mantra [...]" with a link to Please fix it if you can. Thanks.

The Trusted Toolkit said...

While working as the Directory Information Security at a public company I was asked to participate in the new laptop rollout pilot so that I could evaluate the security of the builds. Just prior to the beginning of the deployment, all pilot users were sent an email with our instructions. In the email was the request that we respond to the email with our passwords so that the help desk could migrate our user profiles.

Needless to say, I was more than a little miffed! Even worse, before I had a chance to kibash these instructions 12 users had already complied.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.