Skip to content

Instantly share code, notes, and snippets.

@FreedomBen

FreedomBen/Passwords.md

Last active February 18, 2023 23:16
Show Gist options
  • Save FreedomBen/93a073d2d38f8c6ce45c4793a135ad74 to your computer and use it in GitHub Desktop.
Save FreedomBen/93a073d2d38f8c6ce45c4793a135ad74 to your computer and use it in GitHub Desktop.
Download ZIP
A helpful FAQ for sharing passwords!
Raw
Passwords.md

Password sharing at SimpleNexus

Hello there! You may be trying to share a password with a coworker.
If that is you, you're in luck my friend! This document will help you to do so in a safe and secure manner.

You have a few options:

  1. Tell the person the password in real life
  2. Call the person on the phone and pass it that way
  3. Write it down on a piece of paper and give it to them. Make sure to destroy the paper afterward. Don't just throw it away!
  4. Send the person the password using Keybase. You can sign up for the service and download the software at https://keybase.io

Things you should NOT do:

  1. Slack it
  2. Email it
  3. Text it

Using Keybase

Keybase is a service that makes asymmetrical encryption between non-technical (and technical) users much less painful and more secure than it used to be. Keybase will manage crypto keys for you behind the scenes, making anything you send through Keybase a secret between only you and the receiving party. Not even the Keybase server can read it!

Keybase provides chat, file sharing, encrypted git repos, and more.

To get started, head over to their website: https://keybase.io

After you are done, you should "follow" anybody you know. This is how keybase establishes a trust relationship. If you follow FreedomBen (https://keybase.io/freedomben), and tell him you are at SimpleNexus, he will follow you back and add you as a team member of the Simple Nexus team.

Why can't I just use slack?

There are a few reasons why using slack to share passwords is bad practice.

Firstly, anyone at Slack can read any of your messages. They have controls in place to restrict access of that data to engineers and those with a need-to-know, but that's still more than people at another company should have access to in our system :-)

Secondly, slack either stores messages in plain-text on their server, or for some corporate accounts they encrypt them but control the key. This means that if an attacker compromises slack, they could read out our secrets from our Slack history.

Thirdly, not everyone even at our company should have access to all data. Direct messages can help here, but they still suffer from the two problems above.

Fourthly, even if you delete the message, remnants of it may live on. The point is, we don't control the crypto keys that slack uses, so the ability to protect the secret is out of our hands.

Why can't I just use email?

All of the reasons above under slack, except replace "Slack" with "Google."

However, in Slack you can at least delete your message quickly. With email, both you and the recipient must do so.

Email also makes it easy to unintentionally forward information, especially when it's buried in the history of a long email chain.

What should I do if I made a mistake?

Mistakes happen! Don't despair. But there are some things that you should do:

  1. Change the password as soon as possible
  2. Delete the password from slack. If you emailed it, delete your email and ask the recipient to delete their copy.
  3. Notify anybody that might be affected
  4. You may consider notifying somebody on the Infrastructure or IT team to get further advice, depending on how important this account is or if you suspect somebody unintended may have gotten the password.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment