Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Also, that's one more reason to never ever ever EVER EVERRRR send any passwords/secrets via email
-
@iiii `less -L image.jpg`
why? to read the plain-text data mistakenly embedded inside the image during file restoration :) -
-
@netikras I would agree, but no :)
How else I should communicate to a consultant a 45 characters long password for the database ? Dictate it 1 letter at a time ? -
msdsk31821y@NoToJavaScript send half through email, half through an encrypted chat. Send it as a password protected archive with a simple (yet still hard to brute force) password. Send through a communicator with built-in self destructive messages
-
Root826021y@NoToJavaScript Oh dear, I shouldn’t transmit my database password in cleartext and have it stored unencrypted on someone else’s servers? Wherever shall I do?
Really. -
@Root OK.
So how do you share it ?
Specially that there is a whitelist and password without whitelisting cliernt won't matter anyway. -
@netikras lol.
Don't have phone numbers.
Vault ? You'll need to give acess to a vault any way !
Good idea tho. IU'll look into it -
Root826021y@NoToJavaScript There are services dedicated entirely to this, like Egnyte. (Best for corporate usecases.)
Or you could transmit the password via Signal or some other end-to-end service. Super easy.
You could also email them a password-protected archive and call them to tell them the password (or use some other service disconnected from their email). This is the easiest for both parties.
You could instead have them download the archive over SFTP given temporary credentials. Same as above but a bit safer.
You could of course also hand it to them in person :)
Or you could treat it like an API key and have a website show them the password once and only once.
The point is there’s lots of ways around sharing it in cleartext. But since it’s a password they cannot change, and it grants significant access, you really do need to handle it with care to prevent exposure. Remember, most exposed credentials are caught by automated scripts, and many attacks are likewise automated.
The white list is an exceptionally good second layer, and limits (but does not exclude!) the usefulness of the intercepted password. A bad actor could still utilize it with sufficient effort.
(Of course, temper your choice with the associated risk.) -
@NoToJavaScript If I have to, I prefer sharing secrets over SMS. If I can't, then I use 2-3 different channels to split the password, e.g. half the passphrase via messenger, another half - via email
-
@iiii I'm pretty sure some people do use that. I personally don't. There are simpler ways to store info :)
Related Rants
-
nanoandrew48My Texas Hold'em ML algorithm keeps deciding the best strategy to make the most money, is to lose the least. W...
-
rm-rf-root3Expecting your client to be nice with you just because you are nice to them is like expecting lion not to eat ...
-
myss6How the hell does PR containing production secrets and private keys gets 3 approvals and gets merged upstream?...
A good life lesson:
1. DON'T DELETE FILES YOU MAY WANT TO RECOVER
And if you DO delete them and then recover them, then
2. DON'T SEND THE RECOVERED FILES TO A·N·Y·O·N·E
Today I found a lost µSD card in the street. I did what every sane person would do -- plugged it into my laptop :)
There I found a directory with recovered pictures. I figured, some of them may contain the author's info in metadata, so I ran a quick plaintext search for @gmail.com.
Turns out, inside some of the recovered picture files I could find embedded company director's emails in plain-text. I mean, open the picture with a text editor and read through those emails - no problem! And these emails contain some quite sensitive info, e.g. login credentials (lots of them).
Bottom line, if you delete and recover your files, then do your best to keep them close: don't share them, don't lose them. You might be surprised what these recovered files may contain
rant
recovered files
sensitive
secrets
life lesson
deleted files