Security mindsets of very small businesses and residential clients
-
@technobabble said:
@scottalanmiller Good point. Now would you send the client their password in standard email because they didn't want it sent via secure email? It's my hosting server, I figure I am being security conscious by sending via secure email.
Absolutely. As long as they are the boss or the boss approved don't think twice, just do it. You tried to be secure and they explicitly don't want that. Time to deliver what they want.
-
@Aaron-Studer said:
And now you know why I stopped supporting residential client long ago.
They a pain in the ### and they always complain about the bill.....
Yeah. No money there.
-
I know the feeling. SMBs are much like the residential clients. They know it's bad for them, but still do it anyway. If it makes you feel any better, depending on the email platform you both use, the email may be encrypted in transit anyway.
Enterprise clients are generally better security-wise for the most part, though do have their own headaches to deal with.
-
@alexntg I am using Office 365.
-
@technobabble said:
@alexntg I am using Office 365.
That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.
-
@alexntg said:
@technobabble said:
@alexntg I am using Office 365.
That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.
I recently had this argument with the owner of our company. He always refused to send passwords in email. Even internally. I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake. We had an SBS server and are now Office 365. Everything is encrypted to the devices.
-
Now I have to check my Zendesk ticketing system's encryption.
-
@JaredBusch said:
I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.
Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.
-
@Carnival-Boy you are taking security to the point of interfering with running a business IMO. IT is a business expense, but there is a balance to it just like any other business expense.
-
Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.
I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).
-
@Carnival-Boy said:
Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.
I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).
If you know how SMS works, your pants would be brown right about now.
-
Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?
-
@Carnival-Boy said:
Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?
Well, you know, their password being broadcast on-air to everyone within a few miles of your user is up there in risk. Two-factor verification isn't quite the same as a password.
-
So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.
-
@Carnival-Boy said:
So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.
There's still some risk. If someone's phone's being monitored, the person monitoring the phone would have some idea of who's it is. If someone's just absorbing all SMS traffic in a given area, it wouldn't have any particular meaning or value.
-
@Carnival-Boy said:
@JaredBusch said:
I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.
Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.
That is the case with any secure system though. If you have a compromise it doesn't matter if you used email, secure download, KeePass, etc. That doesn't make email any better or worse.
-
@Carnival-Boy said:
Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.
I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).
Very insecure. SMS I would definitely avoid. That's worse than sending it to their personal email.
-
@Carnival-Boy said:
Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?
That's the second factor only. That's purely "extra" security above and beyond existing security. The point there is to send a one time code side band. It's only useful if you can combine the two bands and only for a moment. It could be announced openly on the radio and not be any risk.
That Google uses it that way doesn't imply anything about it being safe.
-
The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.
And are you sending to locked down end points? My SMS messages display even when my phone is locked.
-
I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.