Keeping passwords secure is one of the most important digital practices we can utilise to improve our Cyber Security.
When sending login details to somebody else the credentials are only as secure as the email system, Helpdesk tool or user accounts which are being used. With that in mind many organisations like to use "Private Bins".
What is a Private Bin?
A Private Bin is a place for you to save text to, which is encrypted and is only available via a link. This means the password is held there by itself without any other contextual information, meaning if this information is compromised, the unwanted party would have no idea what that password is used for.
These tools also have a 'burn after reading' functionality, this means that once the link has been used to load the password, the password is removed and gone forever ensuring a password can only be read once. This means that once the other party has the password, nobody else can use the link and if somebody does hijack the link it means the recipient knows the password has been viewed and knows to alert the sender where a new password can be issued.
Without context and having the knowledge the password can only be viewed once means that we can be certain this password has been transferred securely. Although there is the risk that the password could get lost if the recipient does not store it safely on their end after viewing it.
How do I use a Private Bin?
There are lots of private bin tools out there, such as onetimesecret, privatebin, pasterbin or hundreds more. At the Charity Learning Consortium we have a self hosted version of the open source tool private bin. This can be accessed at https://secure.charitylearning.org - Any of the tools are great to use, but for the ultimate security we can ensure that our version is fully managed by the Charity Learning Consortium team. We cannot view the passwords sent and even if somebody did view them, without any context, they would still be relatively secure.
When you visit secure.charitylearning.org you will be greeted with an empty input box. you can paste any text you wish into it and click Send on the top right. (You can also configure whether the text should burn after reading (recommended) and how long to the link expires (default 1 week). You could even add an additional password to your password link if you wish.
Who can use this?
This is a great way of sharing passwords externally and internally. Feel free to try it out yourself, test it, and use it for all your needs. It's something we try to use all the time and would love for others to benefit from it as well.
We want to send some details to a member such as:
username: josh.willcock password: di39idfu9£U(Rh host: charitylearning.org Port: 22
Traditionally, you would send all of this information in one insecure email, ticket or messaging tool. This would not be best practice, to maximise security we would replace just the password (meaning the context of username & host would be detached).
username: josh.willcock password: https://secure.charitylearning.org/?46ac9d29af018175#5CShUHQ9GASFzwQeDjfSz4fGUwVQzu22rXDc1QD7pam1 host: charitylearning.org Port: 22
Here we have entered the password by itself into the input area. We then click Send.
We then are shown our link and the message within. The next time this link is used the text will be displayed, then it will never work again. The recipient can copy and paste the text, or click 'save paste' to download it as a txt file.