Educause Security Discussion mailing list archives

Re: Secure communication of passwords

From: "Joel L. Rosenblatt" <joel () COLUMBIA EDU>
Date: Wed, 28 Jan 2015 17:16:39 -0500

We wrote a web based application for this specific purpose (CUPET -
Columbia University Password Exchange Tool)
The user logs into the web page using their UNI and password, the secure
information is displayed - when the acknowledge (click) that they have the
password/information, the information is erased from the system - there is
a log kept of the transaction (time, date, IP address) so we can verify the
transaction if needed.

Joel




Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

On Wed, Jan 28, 2015 at 5:04 PM, Mike Osterman <ostermmg () whitman edu> wrote:

This also reminds me of Purdue's FileLocker2 project:
http://filelocker2.sourceforge.net

Disclaimer: I've not tried it, but it looks solid and edu-friendly (CAS
and LDAP auth).

-Mike

On Jan 28, 2015, at 1:56 PM, Shalla, Kevin <kshalla () UIC EDU> wrote:

We wrote the application Protected Email Attachment Repository for this..
We have a video showing features:
https://www.youtube.com/watch?v=7qqXZIgzj2I

Kevin Shalla
Academic and Enrollment Services
University of Illinois at Chicago

*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Thomas Carter
*Sent:* Wednesday, January 28, 2015 3:27 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Secure communication of passwords

On occasion we need to communicate a password (with a possible username)
with a user. This is generally for some external system that doesn’t
integrate into existing authentication mechanisms. Per our policy, we can’t
send the password via email and it shouldn’t be written down. We generally
try to communicate it via a phone call if possible, with a text message to
a verified number as a backup. Unfortunately neither of these are
convenient, so I wondered what others are using for this task.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
<image001.gif>

Current thread:

Secure communication of passwords Thomas Carter (Jan 28)
- Re: Secure communication of passwords Ric Getter (Jan 28)
  - Re: Secure communication of passwords Mike Osterman (Jan 28)
- Re: Secure communication of passwords Shalla, Kevin (Jan 28)
  - Re: Secure communication of passwords Mike Osterman (Jan 28)
    - Re: Secure communication of passwords Joel L. Rosenblatt (Jan 28)
    - Re: Secure communication of passwords Greg Williams (Jan 28)
    - Re: Secure communication of passwords King, Ronald A. (Jan 29)
  - Re: Secure communication of passwords Tipps, Greg (Greg Tipps) (Jan 28)
- Re: Secure communication of passwords Jones, Mark B (Jan 28)
- <Possible follow-ups>
- Secure communication of passwords Cochran, Marlowe (Feb 05)
  - Re: Secure communication of passwords Thomas Carter (Feb 05)
    - Re: Secure communication of passwords Frank Barton (Feb 05)
- Re: Secure communication of passwords Cam Beasley (Feb 05)