SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Member vandalais's Avatar
    Join Date
    Aug 2008
    Location
    New Orleans, LA
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Communicating Passwords

    I'm looking for an easy (extremely) for clients to communicate their passwords to me other than clear text. I need the password to work on their site. I always tell my clients to never send them in clear text via email. The only solution I use at this point is to call the client for a password and this is not convenient for either of us. As a related question, WordPress sends passwords for new users out in clear text, does this mean that the passwords are not hashed in WP? The solution must be extremely easy for the client as most are not that tech savvy.

    Thanks,
    Keith

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by vandalais View Post
    WordPress sends passwords for new users out in clear text, does this mean that the passwords are not hashed in WP?
    They are hashed when stored in the database. When a new user is created, the password is created & stored in memory, hashed & stored in the database, sent (from the variable stored in memory), and then original plain-text password disappears once the user creation function is complete.

    As for your submission problem, just create a simple submissions form and protect it with SSL.
    Last edited by Force Flow; Jun 15, 2011 at 08:05.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Lastpass has a share password feature...
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  4. #4
    SitePoint Member vandalais's Avatar
    Join Date
    Aug 2008
    Location
    New Orleans, LA
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Lastpass has a share password feature...
    I didn't know that. That would be a good solution for me to send passwords back to customers. I'm still looking for a way for them to send them to me. So far setting up a secure page with form seems the most viable. I guess what I am really hoping for is a service that did this.

    So when most of you are working on a site, you just have them email the password to you? I don't know if I'm just being overly cautious but some of you must work on some HIPAA sites.

    I work on quite a few ecom sites and would imagine the transmitting of passwords in clear text would be against PCI compliance policies.

  5. #5
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think that the usual practice is to change password immediately after the other party has finished working with the account.

  6. #6
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also:
    One way to communicate password more securely is to split in multiple parts and send each part using different channel.
    Part1 = random_string
    Part2 = random_string
    Part3 = password xor Part1 xor Part2

    Send Part1 via e-mail (as image)
    Send Part2 via SMS
    Send Part3 via snailMail (ok joking)

    And then on other end password is recovered:
    Password = Part1 xor Part2 xor Part3

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,813
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by vandalais View Post
    I'm looking for an easy (extremely) for clients to communicate their passwords to me
    How do you intend to deal with clients who havve learnt rule one of computer security - Never tell your password to anyone, ever.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by felgall View Post
    How do you intend to deal with clients who havve learnt rule one of computer security - Never tell your password to anyone, ever.
    Instruct them to change it after the task/job/project is complete?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  9. #9
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,813
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Instruct them to change it after the task/job/project is complete?
    Since they would never give it to you in the first place, why would they need to change it?

    If you need to ask people for their password then you are working the wrong way in the first place.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #10
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use password coral - Cygnus Productions [Password Corral - Freeware]

    The .pc files it produces are encrypted and opens with a different password.
    While exchanging a list of passwords, I give the entire file, and exchange the master password alternatively.

    My list of passwords may include:
    FTP details.
    Database details
    Application's own login details
    Other passwords

    But, be sure, that the file contains password information of the ONLY costumer you are dealing, per single .pc file.
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  11. #11
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by felgall View Post
    Since they would never give it to you in the first place, why would they need to change it?

    If you need to ask people for their password then you are working the wrong way in the first place.
    Have them create an account for you? Though, they aren't always familiar enough with their control panel to actually do that...
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  12. #12
    SitePoint Member
    Join Date
    Feb 2011
    Location
    Virginia
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sharing via SMS is more secure than the email clear text.

  13. #13
    SitePoint Member vandalais's Avatar
    Join Date
    Aug 2008
    Location
    New Orleans, LA
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually I found out that LastPass has this functionality. You can share an encrypted password through their site.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •