Security mindsets of very small businesses and residential clients

technobabble

@alexntg I am using Office 365.

alexntg

@technobabble said:

@alexntg I am using Office 365.

That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.

JaredBusch

@alexntg said:

@technobabble said:

@alexntg I am using Office 365.

That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.

I recently had this argument with the owner of our company. He always refused to send passwords in email. Even internally. I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake. We had an SBS server and are now Office 365. Everything is encrypted to the devices.

technobabble

Now I have to check my Zendesk ticketing system's encryption.

Carnival Boy

@JaredBusch said:

I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.

JaredBusch

@Carnival-Boy you are taking security to the point of interfering with running a business IMO. IT is a business expense, but there is a balance to it just like any other business expense.

Carnival Boy

Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

alexntg

@Carnival-Boy said:

Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

If you know how SMS works, your pants would be brown right about now.

Carnival Boy

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

alexntg

@Carnival-Boy said:

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

Well, you know, their password being broadcast on-air to everyone within a few miles of your user is up there in risk. Two-factor verification isn't quite the same as a password.

Carnival Boy

So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

alexntg

@Carnival-Boy said:

So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

There's still some risk. If someone's phone's being monitored, the person monitoring the phone would have some idea of who's it is. If someone's just absorbing all SMS traffic in a given area, it wouldn't have any particular meaning or value.

scottalanmiller

@Carnival-Boy said:

@JaredBusch said:

I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.

That is the case with any secure system though. If you have a compromise it doesn't matter if you used email, secure download, KeePass, etc. That doesn't make email any better or worse.

scottalanmiller

@Carnival-Boy said:

Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

Very insecure. SMS I would definitely avoid. That's worse than sending it to their personal email.

scottalanmiller

@Carnival-Boy said:

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

That's the second factor only. That's purely "extra" security above and beyond existing security. The point there is to send a one time code side band. It's only useful if you can combine the two bands and only for a moment. It could be announced openly on the radio and not be any risk.

That Google uses it that way doesn't imply anything about it being safe.

scottalanmiller

The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.

And are you sending to locked down end points? My SMS messages display even when my phone is locked.

scottalanmiller

I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.

Carnival Boy

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Carnival Boy

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.