I’m looking for an easy (extremely) for clients to communicate their passwords to me other than clear text. I need the password to work on their site. I always tell my clients to never send them in clear text via email. The only solution I use at this point is to call the client for a password and this is not convenient for either of us. As a related question, WordPress sends passwords for new users out in clear text, does this mean that the passwords are not hashed in WP? The solution must be extremely easy for the client as most are not that tech savvy.
They are hashed when stored in the database. When a new user is created, the password is created & stored in memory, hashed & stored in the database, sent (from the variable stored in memory), and then original plain-text password disappears once the user creation function is complete.
As for your submission problem, just create a simple submissions form and protect it with SSL.
I didn’t know that. That would be a good solution for me to send passwords back to customers. I’m still looking for a way for them to send them to me. So far setting up a secure page with form seems the most viable. I guess what I am really hoping for is a service that did this.
So when most of you are working on a site, you just have them email the password to you? I don’t know if I’m just being overly cautious but some of you must work on some HIPAA sites.
I work on quite a few ecom sites and would imagine the transmitting of passwords in clear text would be against PCI compliance policies.
One way to communicate password more securely is to split in multiple parts and send each part using different channel.
Part1 = random_string
Part2 = random_string
Part3 = password xor Part1 xor Part2
Send Part1 via e-mail (as image)
Send Part2 via SMS
Send Part3 via snailMail (ok joking)
And then on other end password is recovered:
Password = Part1 xor Part2 xor Part3