Secure Password Sharing

If you are reading this article, you can probably assume the answer to the question in the title is Yes, otherwise we wouldn’t put it out there.

“But passwords and sharing seem to be two things that don’t go together…”. It is true – to an extent. Long story short, how about we save some time and skip the part where we tell you to never do it?

Right, even though the rule of thumb says DON’T SHARE YOUR PASSWORDS WITH ANYONE (and you should try to stick to it), there are cases when this would be unavoidable. Think of:

  • Giving your site for maintenance
  • Collaborating in an app with not-so-flexible user management
  • Even such simple things as using online entertainment accounts

You see the point. And since access keys handover is something you’re not always able to avoid, you at least need to ensure you’re doing it securely.

3 steps to security

Password share security

Any methods and techniques you decide to implement for secure password share routine, you have to ensure the highest security with the following three aspects:

  1. Storage

Before you conduct the transfer, you put credentials somewhere. And this somewhere should better be as secure as the channel by which they’ll travel. Secure vaults, protected and encrypted from any threat, are your bro here – a chat with yourself on Facebook is not.

  1. Transfer

Now, this one can be even more complicated than keeping the keys safe as they rest on a virtual (or any other) shelf. Here’s a bit more on the How of the matter. But, whatever you make your mind upon, you need to take care of this part – it’s absolutely crucial.

  1. Attitude

People often act rather negligent with this last point. However, none of the Fort-Knox-security measures will be effective if you simply leave a sticky note with your password on your monitor. Don’t do that! Instead, be careful enough not to expose sensitive data to anything or anyone and perform regular checks on various vulnerabilities and malware on your site.

Access sharing techniques

Social sign-in & Device share

Say, you need it for daily routine things like Netflix or any other cases when you plan to have someone use your account from time to time.

One way this person can do it is by social media login. Of course, provided that they’re going to access the account from your device and you’re logged in to the service used for social sign-in.  This is both fast and convenient, and they won’t even see your password at all. 

Social login button

However, here comes the “but”: such an option may not be available on some resources you’d like to access. If your Google sign-in works in Figma, the less popular sites do not necessarily offer it.

Oh, and another serious issue with social sign-in: it’s quite a universal thing. As we said above, not every site provides it, but still – many do. Therefore, your trusted someone should be someone you really trust because they can very well log in the same way to many other sites. Not to mention how much would access to someone’s device on its own allow.

Verdict: Highly convenient, highly insecure.

Hardcore DIY: Self-built secure password share channels

Spoiler: It’s a lot of work, and it’s safe to say you won’t be over the moon about building it all manually – even if you plan to exchange credentials comparatively often. But knowing what it takes can be quite educational.

First things first, you need to have something where the transfer will happen. That would either require creating a site (and protecting it appropriately) or setting up a server for client-server data exchange (also highly protected).

With a site

If you already have a site, you need to work a lot on its security if you plan to use it for transferring credentials. End-to-end encryption, automatic data deletion from the server, strongly protected channels – those are just the basics of what you need to build and set up.

  • For sure, you need to choose FTPS/SFTP for your data exchange with the server. Creating an SFTP account is not much different from creating an FTP one, but it’s a huge difference in security.
  • Needless to say, all modern sites need to be HTTPS – even more so the ones handling passwords.
  • Encryption is a must, too. You don’t need any strangers’ noses in your data, but you also need to be ready for them being there. Encryption that uses public and private keys makes it impossible for anyone or anything to make sense of what’s being sent.

All that seems like too much work for exchanging a piece of information that most likely doesn’t exceed 20 characters.

Without a site

Setting up a server is alone a ton of work. If you have no experience with it, it’s probably not worth bothering for this purpose.

  • Renting a server
  • Installing an OS on it
  • Setting up a firewall
  • User role management

Believe us: that would not exactly be the easiest thing to do.

And it’s not the end of the story: you did all that, and then your counterpart needs to connect to your server. Suppose they’re not tech-savvy – it’s not likely they’ll be ready to go through all that just to send a password.

Verdict: It will be as secure as you make it - at the cost of tons of labor hours and some money. Also, with a 99,99% probability, your counterpart won’t agree to go through the difficulties of the setup on their end.

Gladly enough, we live at such a time when there’s a ready-made solution for almost everything.

Apps for passwords

Mostly, what we have in terms of apps for passwords are password managers. They store your confidential information securely and organize them so that it’s at hand whenever you need them. Sharing passwords with someone using such apps is not always exceptionally convenient.

For instance, LastPass, one of the most widespread apps for passwords, requires both the sender and receiving party to have an account. The same is true about 1Password. 

In other words, most of those solutions lack handy transfer functionality. So, if you decide to share your password kept in a secure account (assuming your counterpart doesn’t have one), you need to send the keys to that account. A closed cycle, isn’t it? And making someone sign up for something also doesn’t really help simplify the process.

KeysForWeb

This app is the solution that we’ve developed made specifically for sharing access keys. And, better yet, it requires only one of the two people to have an account: the second one doesn’t have to sign up to share credentials. Also, it comes with a verification bot so that the receiving party knows the keys are valid.

Password request forms

Even though we keep mentioning credentials as a whole or in part, those are not the only thing you can – and should – share securely. Apart from those, there are licenses, confidential pieces of info and whatnot – each and every being highly sensitive and requiring careful handling.

Verdict: High security, optimal convenience (depending on the specific app you choose).

Anything else?

Password sharing via messengers or clouds - bad idea!

We’ve left out messengers and cloud share software on purpose. Pick any social network or a commonly used messenger: with almost 100% certainty, it is notorious for numerous data loss or leakage incidents. You don’t want that for anything more sensitive than hello to a friend.

Cloud share can be dangerous, too, if you don’t clean up all the remnants of the file that’s supposed to be secret – yes, from the Trash folder as well! Also, make sure you don’t leave traces in History. And never should you ever leave it open on any devices that you let other people use!

Basically, the only actually safe and handy way left is a secure password share app. Preferably, it should be an app rather than a simple page because convenience matters. Sending a link, leaving it all for your counterpart to figure out, then following their link to see it – receiving it god knows where once again!

Keep it secure all along and choose in favor of the apps that cover the entire cycle, from the request to the transfer and display. KeysForWeb, for one, does it all – quick and simple.

Secure password share apps: A helping hand

In business

Secure password sharing

Whether you’re the one requesting the access keys or the one sharing them, you’d most certainly prefer the process to go as painless as possible. We recommend using an app for it, and here’s why.

In business, it’s essential to ensure your counterpart’s convenience throughout the process.

It’s one thing to choose secure means of sharing – and don’t get us wrong, security is without a doubt a crucial factor! But in such matters as business cooperation, the right attitude to collaboration is to make it pleasant and comfortable for both sides.

Think of the hidden benefits of using well-thought-through solutions:

  • You build trust, which is super important in handling sensitive information: from file storage to medical, banking, or trading platforms
  • You show you care; care not just about the profit on your side, but also about making the whole process an enjoyable experience for both of you.
  • And, even more importantly, you want your counterpart to feel at ease, dealing with everything involved in information exchange.

The latter is especially true for those who request passwords from their clients. People who request services from IT experts are normally not so crazy about digital solutions unfamiliar to them.

With teammates

Secure password sharing

Things can get especially messy if you need to share the credentials you received from another party with your team members.

As a smart man from a $100 bill once said, three can keep a secret if two of them are dead. Well, that’s a bit too radical an opinion! We believe in humanity and are pretty sure teams can handle keeping their client’s credentials a secret just fine. Also, as we remember, sharing passwords on a digital platform is sometimes an absolute necessity – remote workers know it better than anyone.

With the help of the right app, you can share passwords for collaboration the best way possible:

  • Quickly
  • Securely
  • In a neat and organized environment

Coming back to the statements made at the beginning of this post, it’s not always the best thing to use one account for an entire team. It can be convenient all right, but wait till you need to figure out who’s done what. All that is to say, it’s essential to keep some things separate.

That’s why team plans in any apps – not only the ones related to anyone’s passwords – should provide separate workspaces for each member. You all work together, but, at the same time, everyone has access only to things meant for them specifically. Check if the app you use does that – that can prevent a lot of bad stuff.

Sharing credentials – The Don’ts

Having your FTP or HTTP without the S

This funky wording implies that selecting FTP instead of SFTP or FTPS, as well as HTTP instead of HTTPS, wouldn’t be the smartest thing to do if you’re planning to deal with sensitive data. The S in all those acronyms stands for security – precisely what you need for sending a password on an adventurous trip to another device.

Using P2P

Peer-to-peer network

Peer-to-peer (P2P) networks sound like a perfect option for sharing something that should stay out of the public eye because they connect computers directly instead of using servers. However, you never know if you don’t download anything hazardous from it, and even less you know about how the person on the other side stores the data. It could be a security threat for both participants.

Using messengers

We can’t stress it enough: DO NOT USE MESSENGERS TO SHARE PASSWORDS, end of story. Whatever they tell you about how they protect your messages, popular messenger apps and social networks are no place for passwords to appear even for a second. Besides, you don’t really know how long their servers store your message after you delete it.

Bonus: Pro tips

Whichever top-tier tech solutions you use, you’re still left with good old human error and a lack of trust. Those pretty much irredeemable faults are in our very nature. But does that mean we can’t mitigate the risks? No, it doesn’t!

Sign an NDA

If you’re planning to share something confidential, it won’t hurt to take legal precautions. Sign a Non-Disclosure Agreement (NDA) with the person receiving the data from you. That way, if that person is the cause of the information leak, you can proceed with litigations. And it works the other way around: if someone asks you to sign one, do it and don’t take that personally – it’s a reasonable measure.

Double-check your input

Using a service with validation can save you the trouble with this. But if you don’t and are going to send someone your credentials, check for any typos and such thoroughly. And, of course, make sure you’re sending the right thing because it can take up to a couple of days while both sides are figuring it out.

Don’t share if there’s no necessity

We know sharing is caring, but you need to be extra careful when handling credentials and other sensitive information. If you think you can do without sending someone your password, then don’t send it. The less you risk, the less your passwords are likely to get into malicious hands.

The final verdict

“So, is it possible to share access keys securely?” Indeed it is!

“Should I do it?” By all means, yes!

“What would be the best means of doing so?” A handy ready-made app that helps you conduct the transfer quickly and painlessly, ensuring the highest rank of security.

Alex Belov

Alex is a professional web developer and the CEO of our digital agency. WordPress is Alex’s business - and his passion, too. He gladly shares his experience and gives valuable recommendations on how to run a digital business and how to master WordPress.

Comments

Leave a Reply

(Your email address will not be published)