[TriLUG] Securely and Accurately transmit passwords

Christopher L Merrill chris at webperformance.com
Mon Oct 1 15:15:20 EDT 2007 

disclaimer: I know *jack* about security.  We implement what we can
if it is easy and seems effective.

We do stuff like this on our internal wiki.  Every person can VPN into
our office and lookup information they need securely.  This reduces
the temptation to write it down, since this way it's always handy and
current. Granted, this puts the burden on our firewall and site security,
but at least then we somewhat localize our points-of-failure to
our firewall and VPN.

If VPN was not an option, then we'd probably put up a secure public
site with the required information.  It's more dangerous, IMO, but again
if it prevents people from sticky-noting the passwords, then at least we
can fight the fight in one place.

There's probably a zillion reasons this is not the best solution, but
I think/hope it's better than weak/common passwords or writing them down.
I'm hoping to hear a better solution, too!

my 2c
C


Chris Knowles wrote:
> Seeking advice, anecdotes, ideas...
> 
> Here's my situation.  I have a pool of 20+ people that are off-site.
> 
> I occasionally have need of communicating to them system password
> changes.
> 
> In the past, we've sent them cards with the passwords printed on them,
> with admonishments to destroy cards after the item has been committed to
> memory.  
> 
> Recently we've started seeing that they've taken these cards, taped them
> into their laptops in plain sight.  (And occasionally annotated them
> with much too much information as to what that password would buy you.)
> 
> Since the passwords are complex, phone conversations tend to lead to a
> lot of phonetic spelling and shouting.  
> 
> Since the some of users have POP accounts for their e-mail I don't want
> to use e-mail as a secure method of sending them passwords..
> 
> So, what do *you* use for password distribution?
> 
> CJK
> 


-- 
------------------------------------------------------------------------ -
Chris Merrill                           |  Web Performance, Inc.
chris at webperformance.com                |  http://webperformance.com
919-433-1762                            |  919-845-7601

Website Load Testing and Stress Testing Software & Services
------------------------------------------------------------------------ -

More information about the TriLUG mailing list