by chrisacky on 9/29/20, 10:24 AM with 9 comments
Once we get the passwords/keys/secrets, they are stored within a vault, but we don't have a good way of asking our customers for them to give them confidence on supplying.
Curious what solutions people have come up with?
ie. PGP email. (Might be difficult for non-technically inclined people to achieve). Sending half to "Skype" (or generic chat), the other to email/phone. This i'd argue is less secure but seen as more secure to the customer than just having a collection form to let them enter directly. PGP self-hosted form submission which encrypts before sending...
The things we want to avoid here is having passcodes all flying around on different medium, and have a single process which is both seen by the customer as secure and is actually secure. The problems I've has is we can make something that is secure, but customers think it's not because it's a simple 'web browser' that is being submitted. We also need a non-technical solution for when clients aren't too capable, if we set something up which isn't convenient, even the technical folk will look at circumventing.
by gtsteve on 9/29/20, 1:24 PM
Once they transfer a secret to us, I just move it out of the guest vault into another one. When I transfer a secret to them, I ask them to confirm that they have it and then I remove it from the shared vault.
by saluki on 9/29/20, 1:58 PM
If that's not possible I use
It encrypts and gives you a cut and paste URL/pass to view, it also times out after a specified time.
and ask client to send user/password separately, and not to include any identifying information as to what service it's for.
by Znafon on 9/29/20, 5:40 PM
It will be convenient and secure for everybody, and users wanting an extra level of security can use PGP.
by dyeje on 9/29/20, 5:17 PM
by caprycorne on 9/29/20, 10:31 AM