How I Send Log-in Credentials

January 14, 2015 - Ever hear of "two-factor authentication?"

Have you heard of two-factor authentication? It's a security mechanism designed to make it harder for people to break into a system. In its simplest form you enter a username and password and then are asked to confirm your identity in some other way. A common second factor is sending a text with a code and asking you to enter that code on a Web site.

It's a very good idea. It's an extra step, but it is very effective in preventing individual breaches (as opposed to mass breaches in which tens or hundreds of thousands of credentials are compromised).

My clients often exchange credentials with me so I can gain access to hosting accounts or other Web site-related services such as domain registrars or email providers. But too many of you simply send both the username and the password in the same email or text. Email is absolutely, positively not secure, so if somebody is watching the credentials could be compromised.

So how can you get this information to me (or to anyone for that matter) safely? A two-factor transmission.

Step one is to send the username via email. Make sure you explain what the username is for (e.g., InfoQuest, or GoDaddy or whatever).

Step two is to send the password. The best method is a text message because it is not another email. Just send the password.

If you must send the password via email, use a meaningless subject such as my favorite, "Additional Info." Don't leave the subject line blank because many spam programs often flag such messages and redirect them to a junk folder.

Whether text (recommended) or email, do not include any additional information. Don't mention what the password is for. Don't use any "trigger" words like password or credentials or log-in. Just send the password itself. If the receiving party can't figure out what it is for, they'll get to you. 

What I Do With Your Credentials

Perhaps I should start with what I don't do. I don't keep a written copy. I don't retain emails or texts that contain credentials.

What I do is enter the information into a password vault. I happen to use SplashID. There may be better solutions but I have used the program for over 12 years, so I'm somewhat committed to it. It works on my phone and on my primary PC. Most important, it heavily encrypts the little database that contains the credentials. The password to SplashID itself is written down, in one place, and is stored in my memory and in my safe box. If my phone is lost, the credentials are inaccessible.

I do my best to forget your credentials (much easier as I age). SplashID has a couple of features that allow me to log in to a service without actually seeing the password. These features are much faster than viewing the password and then typing it in, so the program actually encourages me to forget. In the extraordinarily rare case of a client leaving me for other pastures, I delete all records relating to that client from the vault.

In short, I take the security of your credentials very seriously and deal with it as professionally as I can. You should do no less.