Ask HN: What do you use for passwords on encrypted attachments

by mtbkrdave on 4/3/2019, 3:25:38 PM with 2 comments
Yes, yes, there are plenty of more-secure ways of getting files from point A to point B today, but once in a while a curmudgeonly vendor or someone's misguidedly-heavy-handed policy push us into having to send a sensitive attachment by email.

So, you zip it up with a password or generate an encrypted PDF - but what to use for the password? Absent a side channel to send the password through, you have to use some shared bit of knowledge. Same applies for sending a secure ProtonMail message to a non-PM address.

Most recently I used the message ID of the first message in a separate email thread with the same recipient - but there's no guarantee he still has that message or would have any clue how to get at the headers and track down the ID. I've used invoice numbers plus total dollar amounts on most-recent bills in the past, or strings from design files sent in cleartext previously.

Of course there's always a phone call and a sufficiently-simplistic password.

What's your favorite means of conveying a file password alongside the file?

  • by ziddoap on 4/3/2019, 3:36:47 PM

    If I have to send it this way, any out-of-band communication is generally fine with me although I do prefer phone (out-of-band verification and no transmission over net).

    Assuming your no side-channel requirement means no phone call available, I'd probably send with PGP. If its a pushy vendor, I'll be pushy back (company/position allows me to be pushy, ymmv). Worst case would be resorting to something like: "Password is the invoice number from XX/YY date and the first item code on the invoice" or something sufficently complex.

  • by krrrh on 4/4/2019, 3:46:15 PM

    https://onetimesecret.com/