Sending client passwords - what do you use?

SAFCasper

SAFCasper

Well-Known Member
Reaction score
830
Location
United Kingdom
Just wondering how you all go about sending passwords to clients or 3rd parties?

We use a Sophos Outlook add-in for encrypting email. It requires the end user to setup an account the first time they use it. They set a password and we never see or have any record of it.

Without fail every subsequent time they use it ... "What is the password??? I can't access the files!!"

Is there an easier solution out there I'm unaware of?

I like the idea of sending a link that expires after 24 hours but I can't find anyone that offers this service. Closest I found was https://gensend.com/ but I'm not trusting passwords to an unknown developer on a free site.
 
SAFCasper said:
Just wondering how you all go about sending passwords to clients or 3rd parties?

We use a Sophos Outlook add-in for encrypting email. It requires the end user to setup an account the first time they use it. They set a password and we never see or have any record of it.

Without fail every subsequent time they use it ... "What is the password??? I can't access the files!!"

Is there an easier solution out there I'm unaware of?

I like the idea of sending a link that expires after 24 hours but I can't find anyone that offers this service. Closest I found was https://gensend.com/ but I'm not trusting passwords to an unknown developer on a free site.
Click to expand...

For repeat offenders ...Sorry those are your passwords and your responsibility to maintain. If you would like we can setup an appointment to try and get the password reset for you.

Then bill them.

It kind of blows my mind when a client calls me out of the blue after not hearing from them for some time. "Hey what's my iCloud password?" Uhhhh how the F should I know.

I do keep a lot of passwords of clients but mainly for my own convenience like logging into an admin portal for their company so I don't have to ask everytime. If I'm feeling nice I'll give up a password to a good client but for people that constantly pester, its a billable reset.
 
I use Bitwarden, and if the client has an MSP contract trusted individuals within that organization are granted read only access to the appropriate collection. Beyond that, they get billed for a password reset, because it's not my job to remember passwords.
 
Sky-Knight said:
Beyond that, they get billed for a password reset, because it's not my job to remember passwords.
Click to expand...
So true. Except for one company I have on MSP. They insist the I keep every password and login information for EVERYTHING they have. Oh, don't worry, that bit of work is built into their monthly MSP plan.
 
Porthos said:
I never save/keep anyone's passwords for anything. I always fear someone blaming me for something since I know the password. Remember, I speak from a break/fix environment.
Click to expand...
I'm actually the same way, but they insisted and offered to pay more per month per machine for me to do that. Who am I to turn down money? Anyway, I have all the information on 2 USB sticks. One in my house safe and the other in the shop safe. Both are bitlocked.
 
@Your PCMD I won't save passwords for break fix clients only, it's only MSP customers because it's basically a necessity, I've got access to all their junk to admin, I need to put that stuff somewhere! And I need to be able to MFA the things in such a way the owners can still access stuff.

So... Bitwarden.
 
HFultzjr said:
Send it to them via postal in a letter.
Then tell them to shred it and send the pieces back to you for verification of destruction.
LOL!
Click to expand...
But be sure to send half by USPS and the other half of their password by FedEx. This will ensure if a party intercepts the password they will only have half of it

Sent from my SM-G870W using Tapatalk
 
Depends ...

Sometimes I'll send passwords via text/SMS, sometimes copy/paste over a remote assistance session (ScreenConnect), sometime via regular email and sometimes I'll just access the user's folders on the server and drop some sort of credentials file in there.

It really depends on what the password is for though. If it's the password for their email account, for example, for obvious reasons I will give it to them verbally or via text, rather than email it to them. I think dissociation is the most important consideration. So, for example, I might email a password, but without any user name or url, etc. Instead I'll provide those via other means in advance (verbally, text, etc). Likewise, I might email login details, but send the password via text, etc.
 
If you have a gmail account, you can even set a password on docs in gmail; and it's ok to tell them what that password is in the same email. Then instruct them to delete the email with the attachment containing the password. This is very situation dependent.
 
I just tell them to call me. If that can't happen then I'll SMS. At least SMS, in theory, doesn't keep a copy on a server. Except for Apple.
 
fencepost said:
Can be intercepted via trivial means if it's targeted, which is why even SMS 2factor is better than no 2FA at all.
Click to expand...
This. Random hacker in Prague isn't going to have the means to have some guy with radio gear in a truck near your office to try and grab the code being transmitted.
 
It limits the interception risk to the nation in which the cell phone lives, which is certainly an improvement but it's not the same improvement as proper 2FA.

All you have to do is talk a min wage counter clerk out of a sim card and you've got someone's texts. But there have also been vulnerabilities in the SMS system in the past that allowed for remote exploitation.

The security research on the topic is clear, yes it's better than nothing, but it's not strong enough to be considered 2FA.
 
Last edited:
I split the info across email and text for those "1x off" things...that aren't MSP. I never send passwords in email. Even if I send encrypted, what is to say that the "clients" email isn't being watched? Once it lands in their inbox..the encryption in transit is done...but if someone phished their email password and is watching from afar..there's the info.

Any passwords we keep, we store in our RMMs notes under the clients section. Behind 2FA.

If I send anything via text..it's just 1/2 of the equation...and useless without the other half. So if one of those ultra rare cases where the SIM as taken by a minimum wage counter worker at the store...they see a complex word/numbers/character...but "to what is this for?" I won't say for example.."your password to your O365 account is...."
 
HFultzjr said:
Send it to them via postal in a letter.
Then tell them to shred it and send the pieces back to you for verification of destruction.
LOL!
Click to expand...
In all seriousness, I have a relative who works in national security. He told me that they are dreading the day when terrorists etc realise that good old Royal Mail is the most uncrackable, untrackable and simplest means of transmitting secure information.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Probably one of the dumbest things I've ever heard of.
Replies
14
Views
897
timeshifter
timeshifter
thecomputerguy
One of my new favorite things to do..
Replies
10
Views
2K
HCHTech
HCHTech
P
Do any of you use Dynadot.com as domain registrar? What is your experience with them?
Replies
4
Views
816
britechguy
britechguy
thecomputerguy
How is this possible? Client receiving spam emails from himself...
2
Replies
24
Views
2K
britechguy
britechguy
thecomputerguy
How do you deal with wide-spread MFA enforcement?
Replies
18
Views
2K
Sky-Knight
Sky-Knight
Back
Top