I’m pretty sure sending login information (username, password) to clients in a plain email is not very safe.
First, why not? I’m not sure how packet sniffing (if that’s what the insecurity is) works, or whose computers (other than my cable companies and various ISPs) will see/pass on the packets.
Second, is it safe simply put the needed information in a Word or Zip file and send it as an attachment, or can sniffers look inside those as well? How best to send such information when phoning/faxing is not an option and clients aren’t very sophisticated? These aren’t nuclear secrets, but malicious use of the information could result in hours of headaches.
Standard email is a plain text transmission by default. Anyone packet sniffing on any of the networks that your email traverses can theoretically capture the email and read it. In practice, there are a number of technical complications with packet sniffing that can make the process more difficult, but better safe than sorry.
Sending information in an email attachment by itself doesn’t help either; a person can capture the attachment, run a file identifier to determine the file format, and open the file. If standard methods like encrypting the email via PGP or phoning the information aren’t feasible (standard postal mail?), I’m not sure what choice you have but to send the information in the clear, though. If your authentication system permits, you definitely want to configure it to require the user to change the password at first login.
There’s no safe way to send a password over email. It’s better to make a phone call. Enclosing in a zip or word file doesn’t make much of a difference, although an “encrypted” zip will at least stop very casual snoopers.
You might consider setting the password to a shared “secret”. Something you both know and can unambiguously describe in the clear. A personal fact or a detail about the account that isn’t easily snooped would work.
When you do do a password reset, make sure the client immediately changes the temporary password that you have just set. That at least prevents long-after-the-fact snoopers from getting into the account.
I am not a security expert, but it is my understanding that
a) it is best to never email users passwords, but have password prompts during account creation over a secure connection; and,
b) never store passwords on your site, but hashes.
Apart from hash collisions, the only real security hole in this case is how you deal with lost passwords. I am unaware of any scheme which is practical other than sending a password and forcing the user to change it on the next login.
As to your zip file question, anything you expect your user to read can in principle be read by some interested party, unless you use strong encryption. This creates a burden on your users for very little benefit.
Thanks. It sounds like my other idea, sending login information in a separate email from the URL is another way to go (but I still have to hope someone doesn’t get both emails and put everything together).
I don’t quite understand the Internet enough to really grasp that. Do you mean everyone that appears in a tracert command has an opportunity to look inside? Who are these people? Since tracert can display different routes in successive traces, does that support the idea of sending sensitive information in separate emails?
Yes, sending separate emails means that at least some of the time the two will travel by different routes. Technically, different parts of the same email can travel by different routes, since information transmitted on the Internet is split into packets, but that’s probably more than you need to know.
They aren’t people. Most of the addresses you see in a traceroute are routers. They receive your packet, examine the routing information, determine what router they’re directly connected to that can get the packet closer to its intended destination, and send the packet off to it.
Yes, each and every one of them receives your packet and can look inside it. Typically, they’re not going to do so because it would slow them down (and because they don’t care).
Packet sniffing can be done in different ways. A cracker with access to a computer on the network you’re using could use it to look for emails coming from you. Someone who got access to one of the routers could write a sniffer program that watched for your emails and redirected copies of them elsewhere. Either of these requires someone to get to a computer or router that’s guaranteed to be in the path of your emails.
But by FAR the most common method would be to break into the sending computer itself or the mail server that it uses.
This isn’t necessarily a bad question, but I’d suggest stepping back for a moment and thinking about who is going to be interested in stealing this password, and whether they know it’s being sent.
If there’s serious money on the line (e.g. a bank account or even on-line shopping account that remembers credit card info) AND this is a routine for many customers, then someone’s got the motivation and opportunity to sniff packets and you should worry about security.
If there’s no money, but something that computer-literate types might care about (test scores, computer game stuff), then you should worry, too.
But if this is something not valuable to steal (password to a message board account, log-in that you need to be at a particular computer to use), and this is a one-time thing, I wouldn’t worry too much.
Depending on who you are sending it to, you could use Hushmail or something similar. Yeah, I’m sure the CIA wold be able to crack that, but AFAIK a casual hacker wouldn’t.
If you’re going to do it then it’s probably a good idea to at least avoid using the word “password” in the email. If someone was sniffing then that would be an obvious thing to look for.