IT will only give password over phone - but is that really more secure than email?

IT will only give password over phone - but is that really more secure than email?



Every year an automated password reset occurs on a VPN account that I use to connect to the institution's servers. The VPN accounts/passwords are managed by the institution's IT department, so I have to send an email every year to follow up with the account controller in order to get the new password. This always ends in a phone call, because their policy is to not send passwords through email.



I have a vague understanding of why sending passwords through email is bad, but honestly I don't understand why telling someone a password over a phone would be any better. Assuming I have a 0% chance to change their policy (I really have no chance), why would telling someone a password over a phone call be more secure than email?



I am primarily focused on the ability for phone/email to be intercepted by a third party, but @Andrew raised a good point about the permanency of email.



There is some great information in this Q/A, but that question is about the most secure way to send login information, while I'm specifically asking about phone call vs email security.





A phone call is usually not recorded for indefinite history, whereas an email is usually not deleted. The transport security of either depends on a lot of things (phone: was it a landline, 2G/3G/4G, VoIP; email: does SMTP use TLS, does the client use TLS, etc.)
– Luc
2 days ago





@DeerSpotter I'm not sure I follow that metaphor; typing something into an HTTPS web page is not the same security as typing it into an email.
– Mike Ounsworth
2 days ago





And when you receive the password over the phone what do you do...? Write it on a Post-It and stick it to the side of your monitor?!
– MrWhite
2 days ago





@MrWhite I don't really understand the point of your comment...? I add it to my password manager.
– Chris Cirefice
2 days ago





@dandavis Just because your connection to gmail or whatever is secure does not mean the message will be encrypted all the way to the destination. superuser.com/questions/260002/…
– nasch
2 days ago





9 Answers
9



Emails are saved somewhere, whether it be on a mail server or someone's personal computer. Phone calls usually are not, unless it's a customer facing environment.





That was my first thought as well. Another thing you might elaborate on is the transport security of both methods. (See also my comment on the question.)
– Luc
2 days ago





@Luc That's what I was actually focused on initially, but Andrew makes a good point about the persistency of it all. I was originally thinking about how an email or phone call might be intercepted by a third party.
– Chris Cirefice
2 days ago





Easy to read an email over your shoulder, not as easy for a phone call.
– 202_accepted
2 days ago





As a matter of policy, my company records all phone calls, incoming and outgoing. The records are saved on the cloud behind credentials, and if an admin or the user who made the call wants, they can download the recording and send it via email. While it's not a common occurrence, it does happen.
– JM-AGMS
2 days ago






@JM-AGMS Even in that case, it's harder to scan a whole audio repository for a password than a text repository. Although... I guess you could pass an audio-to-text process to the whole thing and then look for words similar to "password"
– xDaizu
yesterday



Emails may (though as @Luc points out, not always) be sent in plaintext across the internet. That means they may be logged by your email provider, your ISP, your recipient's ISP, your recipient's email provider, or any of the networking equipment in-between. As the sender, you also have no control over who is looking over the shoulder of the person as they open the email.



With a phone call, you have more control over verifying that you are talking to the correct person, they can can refuse to answer if they are in a public place, etc. Plus, while there are no guarantees that it's not being recorded, at least there's a good chance -- unlike email which has 100% chance of being in some database somewhere.





However, a lot of VoIP is transported unencrypted over LANs and the Internet. And on the TDM side of the phone network, there's no encryption or authentication whatsoever.
– user71659
2 days ago





@user71659 Fair enough. I have no experience in telephony. With text logs from email servers etc, it's super easy to ctrl+f for passwords. Assuming an unencrypted telephone network and / or VoiP packets, is it similarly easy to extract the password?
– Mike Ounsworth
2 days ago






Note that we are talking about a company here. Presumably internal email will never leave their premises. So yeah I point out that it's not always sent in plaintext, but for completeness, in this particular scenario it's actually likely that it is sent securely. Phone calls, on the other hand, almost always leave the premises since people usually only call via mobile phones these days (again, the case is different for internal VoIP or DECT, or in the case of CCC: GSM)
– Luc
2 days ago






@Luc Not in the US. My opinion is a desk phone is more comfortable to use, has better acoustics, doesn't use heavy speech compression, doesn't have dropouts. It's a far more professional experience. You also have issues when somebody needs to call 911, and with coverage, like an office in a basement. The US also, until a few years ago, had tax issues writing off cell phones.
– user71659
2 days ago






@user71659 A VoIP attacker needs to have a pre-established presence to proxy the session, have access to dump an intermediary network interface, or is stuck trying to falsify one party and force a session renegotiation live. You need to have a fairly significant presence or a lot of set-up time to do that. It's certainly not impossible, but I'd call that a much more sophisticated attack, and most certainly one that's much more difficult to do without leaving evidence.
– Iron Gremlin
yesterday



Even if both the email and phone conversation are recorded, it is orders of magnitude easier to search an email database for "password" than it is to search voice recordings.





Yes, though it would be easy enough to add a hurdle here by only sending an image file with the name kitten.gif which actually contains a “screenshot” of the text new password: pwd1234. A determined attacker will be able to crack this just as well as a phone recording, but not simply with grep. Either method is only security through obscurity.
– leftaroundabout
yesterday



kitten.gif


new password: pwd1234


grep



This policy is common where usernames and passwords are sent via separate channels.



It doesn't matter which channels just as long as it the authentication pairs are split apart and sent via different methods.



This is the accepted best practice because intercepting the right two channels is much harder than watching one channel for the authentication pair to simply pass by.



The reasoning behind this is password changes are not just when you forget a password but when there is suspicion that an account has been compromised. For this reason password changes are done "out of band" to ensure that password updates are not easily captured.



In the world of IT security it is sometimes not about being perfectly secure. It is acceptable to be just hard enough to have attackers go try somewhere else.



The security of an email is hard to establish. The email is most likely kept in archives (there are even some regulations for certain companies). So sending a password in an email is a bad idea from that standpoint. Email intercept could also happen.



Phone on the other hand, is less likely to be recorded, but phone intercept or recording could exist. So it isn't that great of an idea. I read a comment that land line are harder to tap than computer systems - I would disagree. Taping a traditional phone line is much simpler than hacking a remote server. VOIP phones require new technique but not that hard either - plug a hub, connect your PC to one port of the hub, and you now have a copy of all packets, and VOIP decoding software abound. It's probably harder to intercept a cell phone signal, but I don't know, haven't done it.



One (maybe perceived) benefit of using the phone over the email is the assurance that you are giving the password to the person you want to give the password to. Being a system administrator myself, who has to reset passwords, this is something I can attest to. If you send an email, you don't really know who is on the other end. It could be a spoofed email, hijacked account, etc. If you know the person, you can recognize the person's voice. You can ask some questions to verify authenticity (you could do that on email too but there is a safety feeling when doing it over the phone).



Now, having an Administrator set a password and that remain the password and not let the user set their own password is really bad practice in my opinion due to these factors of now the password has to be transmitted and whatever is transmitted is going to be the password forever after.



Is there more to the policy? In many organizations they will give a new password over the phone but they must know the persons voice and answer a question (who is your boss, when was your last review).



It's somewhat similar to a multi-factor authentication process.



In a secure system, passwords provided by IT should only be temporary, one time use only, random strings, so the user has to immediately type it in and change it to their own new secret password. IT should never know or transmit a user's "real" password.



Users need to be vetted prior to the reset and that is much easier done by voice call, ask a question, get an answer, done.



Even if the temp. password is overheard on a call, there would not be any time for it to be used. Emails, however are sometimes neglected for some time before being read, giving an attacker the chance to do their worst.



Additionally, a recorded voice call can be used to identify if a user has been impersonated later on, whereas you can't tell who looked at an open email screen or remote email server.



My 10 years of experience are in a financial institution environment so this level of security may not be economically justified if security needs are less stringent. Paying for IT bodies is expensive and most systems/apps are going to web based security anyway, so the days of IT password resets by voice are numbered in any event.





I agree with your answer, but sadly there is no password management from the end-user side in this VPN system. So IT sets the password and the changes it every year. It’s not a secure system in the slightest, since IT knows all user passwords. Worse, the password wasn’t high-entropy (8 characters and 2 numbers, no symbols).
– Chris Cirefice
7 hours ago



The logic I use when insisting on using phone or text to send the password is the fact it's a second channel.



Even with all of the insecurities detailed above of email, if the email was sent with only the password in it, there is not enough information for malicious use. However, if you intercept an email that has a similar meaning to "Your password for account xxx on service yyy has been changed to zzz", you have everything you need to access the account.





You're assuming the email is coming from an address at a different domain. If an attacker gets an email with a password from "noreply@example.com" to "alice@gmail.com", the first thing they would try is signing into example.com with username "alice" and the password from the email.
– AndrolGenhald
2 days ago



There are several good answers about why sending Password = -value- in an email are bad.



BUT



No one is mentioning that if the password is simple enough to easily be communicated by voice it is probably not complex enough to be effective and the receiving party is probably going to write on a piece of paper...



Related XKCD #936: Short complex password, or long dictionary passphrase?





There's nothing wrong with writing passwords on a piece of paper. A lot of secure information gets written on pieces of paper. It's what steps you take to ensure that only the right people can see the piece of paper that matters.
– Michael Kay
yesterday





Given that communicating long serial numbers or contract support numbers, 16+ characters in length, is fairly routine over the phone, I don't see why communicating a 16+ character password would be more difficult. Yes, they will write the complex password down but they will do that anyway if they get it via email.
– Doug O'Neal
6 hours ago






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Popular posts from this blog

ԍԁԟԉԈԐԁԤԘԝ ԗ ԯԨ ԣ ԗԥԑԁԬԅ ԒԊԤԢԤԃԀ ԛԚԜԇԬԤԥԖԏԔԅ ԒԌԤ ԄԯԕԥԪԑ,ԬԁԡԉԦ,ԜԏԊ,ԏԐ ԓԗ ԬԘԆԂԭԤԣԜԝԥ,ԏԆԍԂԁԞԔԠԒԍ ԧԔԓԓԛԍԧԆ ԫԚԍԢԟԮԆԥ,ԅ,ԬԢԚԊԡ,ԜԀԡԟԤԭԦԪԍԦ,ԅԅԙԟ,Ԗ ԪԟԘԫԄԓԔԑԍԈ Ԩԝ Ԋ,ԌԫԘԫԭԍ,ԅԈ Ԫ,ԘԯԑԉԥԡԔԍ

How to change the default border color of fbox? [duplicate]

ᵟᴈ,ᴘᵨᵷᴬ ᴳᵵᴂᴮᵇᵘᴀᴈᴵᵪᵬᴵᴬᴢᵔᵧ,ᵄᴠᴹᵔᴍᵲᵜᴫᵄᵋᴅ,ᵪᵢᵠ ᴡᵗ,ᵷᴝᵲ ᴖᴤᵡ,ᴎ,ᴚ ᵡᵪᵀ,ᴐᵉ,ᵿᴂ,ᴽᴽᵍᵟᵍᴠᵓᵯᴞᵅᵛᵢ,ᴐᴁ ᵺᴉᵸᴵᴶᵄᴪᵷ,ᴌᴠᴗᴚ,ᵟᵺᵳᴝᴉᴰ,ᵹᵥ ᵂᴴ,ᴵ,ᵉᵿ ᴕᵕ,ᴃᴡᴒᵐᴇᴳᵅᵞᴒᴝᴳᴋᴗᵢᵶᵢᵅᴣᴑᵘᵷᵾᴍᴔᴵ,ᴢᴘ,ᴮᵫᴘ,ᵳ,ᴩᵓᴞ