Security Best Practices

Okay. This is definitely one of my organizational pet peeves; persons who openly ask for or give out passwords! I think everyone has got to take information security seriously and especially in this day and age. I like PGP/GPG but it can be a pain for all parties having to exchange keys and the like. When everybody wants something NOW, there is not much time nor patience to set up a key exchange environment on the fly, although I have done it to enforce policy :)

Over the years I have come up with various creative means to honor password requests, but they usually involved some type of security through obscurity STO. One of my favorite adhoc means is to use a text file or other document containing the credentials and then package and encrypt that text file or document in either a zip file with some passcode protection (easier for userland) or with OpenSSL. The passcode would be based on some word coordinates from an email sent to that party previously. You would then telephone that party, and referring to the previous email, name the position of the word or phrase used to encrypt the file/document package. It is still an STO model, but it's better than nothing since you don't have to transmit all of the information over the wire and risk man-in-the-middle interception.

In the ideal world, all OS vendors would agree upon and include some type of common tool to make it easy for userland to perform some basic encryption. If it was up to me that tool would be OpenSSL :)