Thursday, 24 February 2011

"I'll send you the password via email..."

It's 4.55 p.m. on a wet and windy Friday night, somewhere in the great metropolis, and you're coming to the end of a long working week. In just 5 minutes time, you'll be going home, ready to enjoy the promise of a weekend you have been planning for months. The hotel room is booked, the kids have been shipped off to your sister-in-law, and the wife has been out shopping today at that new Ann Summers shop in the high street - life really is good.

Just as you're about to go home, the phone rings. It rings in that particular way that it does when it's Dave - good old Dave in Accounts. Dave who got you into trouble last week for sending you that link that was so "Not Safe For Work", and which took Brian in I.T. 3 days to repair the aftermath of...

"I need the password for the Director's pension file..."

Why NOW?! All you can think about is what colour undies may be waiting for you tonight...

"I'll send you the password by email" you hear yourself say. As you're about the press the send button, out of the corner of your eye you can see Brian from I.T., wielding a baseball bat, and wearing a malicious grin...

Now that I have your attention, as I gently fondle my very own baseball bat, I think the time has come to tell you the truth.

Email is not secure.

There - I've said it. I know you use it every day, and I know you can't live without it, but it is not safe. When you send an email, it travels in a plain text format - that is, it is completely readable by anyone. This is necessary because email has to travel between varying systems, that utilize varying technologies - it simply can't travel any other way, and by default, when we send an email, it travels in plain text. Therefore, sending a password by email is like you throwing your front door key into a crowd whilst shouting "that's for number 29 folks - help yourselves!"

So, how do we send a password (or a document) safely via email, if we have no other choice? Well, we disguise it, by using encryption. Encryption is a method where we turn some piece of data into something unrecognizable, and then change it back again later on. Encryption options depend upon the type of email client you are using, so I can't really give specifics, but google is your friend - just look up email encryption options for your email client, most are based on some sort of PGP Public / Private Key encryption or Digital ID's.

Failing that, create a document, place the password in the document, and use an archiving solution like Winzip, WinRAR or 7Zip to generate a password protected archive containing the document, which you can then send in an email. Then just phone up the person and give them the password to the archive.

That's all 'till next time folks. Remember, stay safe - or me and "my little friend" may have to have a word with you... ;)


Cathy said...

Just a quickie to say that the Palace has relocated to:

It looks pretty dire at the moment, but I'll be working on this. Oh Yes.


Chris Locke said...

Related to Shauns post...


For passwords, nothing beats a good phrase, eg, 'i'm always buying rubbish' for your ebay account. Use the first letter of each word (iabr) then use a weird character, eg, %, then finally some numbers, eg, 8766. This gives you iabr%8766. Not a dictionary word, and something a 'brute force' attack would take ages to crack. Maybe. Or an hour. Depends on if they're using a P3-266 or not...

Chris Locke said...


1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.