Securely share passwords - only once

blog preview

I often encounter situations, where contacts need to share a password or a secret - and then simply send it via potentially unencrpyted E-Mail. Or use WhatsApp, Microsoft Teams or Slack or similar apps.

Let's first start with the obvious: In general one should avoid to share passwords and secrets with other people. Most of the times it's the best and only reasonable solution to have dedicated accounts, tokens and secrets per user!

That being said - security needs to be practical, and while I'm all about highest security standards, I can see some use-cases, where sharing passwords is fine:

  • First-time login password - where you request your user to change it afterwards
  • API secrets - when a tool only allows an admin to create the secret, but a developer needs to work with it
  • User accounts which are only used for API purposes (while I think, tools which don't allow personalized API keys are bad - there are thousands out there. And we somehow need to work with them...)
  • Emergency access to an account or a system in case of disaster
  • And I guess there are many more reasons why sometimes it's ok to share passwords

The No-Go - Sharing via messenger app

However, where I really draw the line is the method of sharing the password. As you can guess, I'm quite apologetic when it comes to sharing passwords, when it is necessary - but I'm very much a hardliner when it comes to HOW the secrets are shared.

The most common thing I guess is E-Mail. An admin creates a user account for a new employee and sends the credentials via E-Mail. The colleague needs emergency access to one of your accounts - and sends the password via E-Mail. Or Microsoft Teams. Or Slack. What's the problem with that? First of all, E-Mail mostly is not encrypted. Anybody could watch your password being sent around. Also Slack and Teams have huge security flaws when it comes who could potentially read your messages.

And almost as important - or even more important: The passwords and secrets stay in the Inbox or Chat forever. Let's be honest - most people do not delete these secrets after they received them. And most people also do not change the secret, after the purpose of the sharing is not valid anymore. And we all have seen chat messages of our colleagues without us or them wanting us to see them, right? (And again - don't mistake my words for approval. I'd like to live in a world, where nobody shares his secrets. But that's just not realistic - making all our lives a little less secure).

Conclusion: Please do not and never share your secrets via E-Mail or messenger app!

The hard - creating encrypted archive with password protection

Then there are the people among us, who see the need for sharing a secret but also see the danger of simply transferring them via Mail. So they create a text-file containing the secret, encrypt the file with password protection, send the encrypted file via E-Mail and most probably the password of the encrypted file via different messenger app. While this is much more secure than the E-Mail approach, it still has flaws:

  • The password for decrypting the file is still around forever
  • The encrypted file will most probably also be around forever
  • The receiving user might extract/decrypt the file and keep the decrypted secret on his computer (which again is quite bad)
  • This whole process takes forever and is very inconvenient - and inconvenient security mechanisms are rarely successful

Conclusion: While this approach is inherently more secure, then sending secrets via Mail, it still lacks the convenience and security we need

The suggested way - sharing using a password manager

Ok, the clear and obvious best solution is to use a paasword-manager tool to share the secrets. There are quite some good once out there - both managed solutions and open-source self-hosting ones:

(Note that LastPass had some serious security incidents lately, so I'd not recommend them at the moment!)

And there is actually nothing inherently wrong with using a password manager to share your secrets. It is in fact the best and most secure solution. However - and this is not to be underestimated - a lot of people and companies still don't have passsword management solutions set up. And setting ups such a solution can get complex rather quickly if you have a rather huge IT landscape.

This solution also breaks, if sharing is to be done beyond your company limits. And this is where actually I - as a freelance consultant - are at the moment. I have a password manager - but my clients often don't. My solution is able to securely share secrets with clients - but not the other way around. So I end up getting passwords in plain text - even though I have a password manager.

Conclusion: If you need to share secrets - best is to use a password manager. However, there are some hurdles which prevent companies and inter-company-relationships from utilizing them. Still - use them. Excuses for not using password managers are actually very rare!!

The attempt of a compromise - secret.datascienceengineer.com

While it is clear that using a password manager for sharing secrets is the way to go there are still too many situations where I - as an avid user and preacher of security solutions - get handed over secrets and passwords via Mail, Chat or SMS. I really don't like this situation - that's why I created a small tool which I provide for free to anybody interested: secret.datascienceengineer.com.

The tool is very simple:

  • Upload your secret
  • The app will create a sharing link which you can distribute to your colleagues
  • Once the secret gets accessed by using the link, it gets deleted. As easy as that.

While this solution is worse than using password managers - as mentioned, please use a password manager whenever possible - it is better than any alternative:

  • It's easy to use - so very little friction to use. Which is good for security
  • It deletes your secrets after they are accessed once
  • This brings two additional benefits:
    • First, the secret is not lingering around your desktop for years
    • And second, if for some reasons your colleague gets the link but can't access the secret, you know, that someone already read this secret. Making a good case for changing it asap. With any other method, it's hard to find compromise that soon in the process
  • It's free to use - which should also limit friction

Behind the scenes

The app creates a new encryption key for each secret upload. The secret then is encrypted, using this key. The key and the encrypted secret are then stored in two different databases in two different physical locations.

When a user wants to access the secret again by using the share-link, the key as well as the encrypted secret are retrieved from their databases. The secret gets deleted, then decrypted and finally is presented to the user. So if the secret wants to be accessed a second time, it's gone...

Quick intro

  1. Navigate to secret.datascienceengineer.com

  2. Enter your secret in the input field and press Generate one-time link

    Upload secretsUpload secrets

  3. A popup appears, providing you the sharing link. Click Copy Link to Clipboard to copy this link

    Share LinkShare Link

  4. Distribute this link to your colleague

  5. Your colleague may now enter the sharing link into their browser. They can click on Copy this secret

    Get SecretGet Secret

    The secret is already deleted, when the user is presented with it's value.

Feel free to use this tool for free - it will be free forever. If you have thoughts about whether this tool helps with security or whether it's rather worsening security aspects - let me know!

------------------

Interested in how to train your very own Large Language Model?

We prepared a well-researched guide for how to use the latest advancements in Open Source technology to fine-tune your own LLM. This has many advantages like:

  • Cost control
  • Data privacy
  • Excellent performance - adjusted specifically for your intended use
Get your free LLM training guide

Need assistance?

Do you have any questions about the topic presented here? Or do you need someone to assist in implementing these areas? Do not hesitate to contact me.