TL;DR

Stop sending passwords in the body of emails, chats and SMS messages. If you’re not using a trusted password manager with a secure one-time send feature, try Password Pusher instead.

The problem

You need to send a password or some other secret to a colleague, friend or family member as a one-off and you’re wondering,

How do I do this securely? Once I’ve sent it, job done. It’s up to them to keep it safe. But I want to make sure that only they receive it.

Sound familiar? No doubt you’ve either run into this before yourself or it rings some bells. It’s certainly a common one for IT professionals responsible for managing staff accounts in their organisation.

It goes a little something like this:

  1. New employee starts. OK.
  2. Employee needs account. Done.
  3. Employee needs account credentials. Naturally.
  4. Employee has no access to their new company mailbox to retrieve their new credentials. Hmm…

Tried and tested… and best avoided

You’re probably already thinking of a few ways to send this password. That’s good, but let’s have a think about some of the more obvious ones, along with their caveats.

Phone call

Who doesn’t have a phone, right? Yes, but…

  • Eavesdropping. You never know who’s around the corner or on the other side of a thin wall.
  • Spelling it out. This could take a while if it’s long, which it should be.
  • The recipient has to record what they’re hearing. Are they typing it straight into a trusted password manager, or are they writing it down on a sticky note? If you don’t know and they’re unlikely to care, that’s a problem.

SMS

Another tried and tested (and often neglected) method is SMS text messaging. Unfortunately for SMS…

  • It’s unencrypted. OK, someone actually intercepting your message with a cell-site simulator, aka a Stingray or IMSI catcher, and then extracting the password from the message, is probably not in your threat model. But we’re all about principles here.
  • If the password is not already on the sending device, it has to be typed into a message manually. The recipient will likely have the same issue but in reverse.
  • Messages tend to pile up forgotten. Will this one be deleted once it’s no longer needed? Maybe, maybe not. Maybe the recipient intends to but then forgets. Maybe they lose their phone. Maybe someone finds their phone…

Email

Email is an old technology. The messages themselves, along with the lack of care people take when sending them, means email is also pretty insecure as a method of communication without other technologies providing the necessary security, such as authentication, firewalls and access controls.

  • It’s also unencrypted (see PGP and GPG).
  • Messages tend to get moved or soft deleted rather than permanently deleted. When they’re soft deleted or archived, they’re most likely retrievable for years afterwards.

Messaging apps

Most of the popular messaging apps like Signal and WhatsApp now provide end-to-end encrypted messaging as standard. However, while this is ideal for our private conversations with others, our password could hang around in a chat longer than we’d like it to, especially if optional features like disappearing messages aren’t enabled.

Password Pusher

So here’s your easy-to-use, free and open source solution: Password Pusher. As you’ve no doubt already guessed, Password Pusher is first and foremost a website GUI tool.

The website presents you with a text box. Once you’ve entered your password or other secret into this box and clicked on the big blue “Push it!” button, a unique link will be generated using the default settings and then shown on screen. Something like:

https://pwpush.com/en/p/zptuyw5wfm-wsn56aje

All you’d need to do now is send the link to your recipient. Easy, right? The defaults are all good for most people, but you can also tailor links to additional requirements, such as setting links to expire after a set number of days and/or views.

You can even generate random passwords, allow for immediate deletion and password-protect the link using “Passphrase Lockdown”.

Give it a try

If you haven’t tried it already, send a few passwords to yourself. It’s easy, free and open source. If it becomes a valued part of your toolkit, you’ll also want to check out the Pushie mobile app, which is a clean, simple interface to the Password Pusher API.

If you’re keen to get on the command line, why not take things a step further? Password Pusher can also be used as a CLI tool, and the JSON API would come in handy for your own scripting, automation or app development.

I’d be interested to know how you get on with Password Pusher, or if there are alternative tools or methods you recommend. Let me know by reaching out on Mastodon or via email.

Just don’t send me any passwords ;)