IT will only give password over phone - but is that really more secure than email?

Every year an automated password reset occurs on a VPN account that I use to connect to the institution's servers. The VPN accounts/passwords are managed by the institution's IT department, so I have to send an email every year to follow up with the account controller in order to get the new password. This always ends in a phone call, because their policy is to not send passwords through email.

I have a vague understanding of why sending passwords through email is bad, but honestly I don't understand why telling someone a password over a phone would be any better. Assuming I have a 0% chance to change their policy (I really have no chance), why would telling someone a password over a phone call be more secure than email?

I am primarily focused on the ability for phone/email to be intercepted by a third party, but @Andrew raised a good point about the permanency of email.

There is some great information in this Q/A, but that question is about the most secure way to send login information, while I'm specifically asking about phone call vs email security.

9 Answers
9

Emails are saved somewhere, whether it be on a mail server or someone's personal computer. Phone calls usually are not, unless it's a customer facing environment.

Emails may (though as @Luc points out, not always) be sent in plaintext across the internet. That means they may be logged by your email provider, your ISP, your recipient's ISP, your recipient's email provider, or any of the networking equipment in-between. As the sender, you also have no control over who is looking over the shoulder of the person as they open the email.

With a phone call, you have more control over verifying that you are talking to the correct person, they can can refuse to answer if they are in a public place, etc. Plus, while there are no guarantees that it's not being recorded, at least there's a good chance -- unlike email which has 100% chance of being in some database somewhere.

Even if both the email and phone conversation are recorded, it is orders of magnitude easier to search an email database for "password" than it is to search voice recordings.

kitten.gif

new password: pwd1234

grep

This policy is common where usernames and passwords are sent via separate channels.

It doesn't matter which channels just as long as it the authentication pairs are split apart and sent via different methods.

This is the accepted best practice because intercepting the right two channels is much harder than watching one channel for the authentication pair to simply pass by.

The reasoning behind this is password changes are not just when you forget a password but when there is suspicion that an account has been compromised. For this reason password changes are done "out of band" to ensure that password updates are not easily captured.

In the world of IT security it is sometimes not about being perfectly secure. It is acceptable to be just hard enough to have attackers go try somewhere else.

The security of an email is hard to establish. The email is most likely kept in archives (there are even some regulations for certain companies). So sending a password in an email is a bad idea from that standpoint. Email intercept could also happen.

Phone on the other hand, is less likely to be recorded, but phone intercept or recording could exist. So it isn't that great of an idea. I read a comment that land line are harder to tap than computer systems - I would disagree. Taping a traditional phone line is much simpler than hacking a remote server. VOIP phones require new technique but not that hard either - plug a hub, connect your PC to one port of the hub, and you now have a copy of all packets, and VOIP decoding software abound. It's probably harder to intercept a cell phone signal, but I don't know, haven't done it.

One (maybe perceived) benefit of using the phone over the email is the assurance that you are giving the password to the person you want to give the password to. Being a system administrator myself, who has to reset passwords, this is something I can attest to. If you send an email, you don't really know who is on the other end. It could be a spoofed email, hijacked account, etc. If you know the person, you can recognize the person's voice. You can ask some questions to verify authenticity (you could do that on email too but there is a safety feeling when doing it over the phone).

Now, having an Administrator set a password and that remain the password and not let the user set their own password is really bad practice in my opinion due to these factors of now the password has to be transmitted and whatever is transmitted is going to be the password forever after.

Is there more to the policy? In many organizations they will give a new password over the phone but they must know the persons voice and answer a question (who is your boss, when was your last review).

It's somewhat similar to a multi-factor authentication process.

In a secure system, passwords provided by IT should only be temporary, one time use only, random strings, so the user has to immediately type it in and change it to their own new secret password. IT should never know or transmit a user's "real" password.

Users need to be vetted prior to the reset and that is much easier done by voice call, ask a question, get an answer, done.

Even if the temp. password is overheard on a call, there would not be any time for it to be used. Emails, however are sometimes neglected for some time before being read, giving an attacker the chance to do their worst.

Additionally, a recorded voice call can be used to identify if a user has been impersonated later on, whereas you can't tell who looked at an open email screen or remote email server.

My 10 years of experience are in a financial institution environment so this level of security may not be economically justified if security needs are less stringent. Paying for IT bodies is expensive and most systems/apps are going to web based security anyway, so the days of IT password resets by voice are numbered in any event.

The logic I use when insisting on using phone or text to send the password is the fact it's a second channel.

Even with all of the insecurities detailed above of email, if the email was sent with only the password in it, there is not enough information for malicious use. However, if you intercept an email that has a similar meaning to "Your password for account xxx on service yyy has been changed to zzz", you have everything you need to access the account.

There are several good answers about why sending Password = -value- in an email are bad.

BUT

No one is mentioning that if the password is simple enough to easily be communicated by voice it is probably not complex enough to be effective and the receiving party is probably going to write on a piece of paper...

Related XKCD #936: Short complex password, or long dictionary passphrase?

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.