Security mindsets of very small businesses and residential clients



  • A residential client told me her password yesterday and I didn't know whether to laugh or cry. The password is a date with the month spelled out, AND she uses it for everything. So she got the speech about week passwords and how you shouldn't use the same one everywhere. She said it was too hard to change them and beside she would quit. Her husband spoke up and said I have too many to worry about, there is NO way I am going to change any of them.

    Today, a business client needs a new email setup. I sent everything but the password via help desk and the password via secure email. I get back an email to send password via email. I forwarded the secure email again and tell her via support desk that I have sent it again. Her reply, I know, but I would rather have you send it email, because I have to set up an account to get it that way. That was 5 hours ago and I still have no idea how to reply without sounding like an ass.

    ARRRGGG



  • UG... I know your pain.



  • Did you catch you own pun?

    Her password is a spelled out month.

    You called it a week password.



  • @Dashrender Residential clients I don't worry about so much.



  • Bottom line, give quick advice but don't spend your energy worrying about the lack if security if other people that are not your employees. Not your problem. Just let it go.



  • @scottalanmiller week...weak...wow, the damn spell check can't read my mind! Yeah I meant weak. And I wish I had been trying to be punny!



  • @scottalanmiller Good point. Now would you send the client their password in standard email because they didn't want it sent via secure email? It's my hosting server, I figure I am being security conscious by sending via secure email.



  • And now you know why I stopped supporting residential client long ago.

    They a pain in the ### and they always complain about the bill.....



  • @technobabble said:

    @scottalanmiller Good point. Now would you send the client their password in standard email because they didn't want it sent via secure email? It's my hosting server, I figure I am being security conscious by sending via secure email.

    Absolutely. As long as they are the boss or the boss approved don't think twice, just do it. You tried to be secure and they explicitly don't want that. Time to deliver what they want.



  • @Aaron-Studer said:

    And now you know why I stopped supporting residential client long ago.

    They a pain in the ### and they always complain about the bill.....

    Yeah. No money there.



  • I know the feeling. SMBs are much like the residential clients. They know it's bad for them, but still do it anyway. If it makes you feel any better, depending on the email platform you both use, the email may be encrypted in transit anyway.

    Enterprise clients are generally better security-wise for the most part, though do have their own headaches to deal with.



  • @alexntg I am using Office 365.



  • @technobabble said:

    @alexntg I am using Office 365.

    That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.



  • @alexntg said:

    @technobabble said:

    @alexntg I am using Office 365.

    That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.

    I recently had this argument with the owner of our company. He always refused to send passwords in email. Even internally. I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake. We had an SBS server and are now Office 365. Everything is encrypted to the devices.



  • Now I have to check my Zendesk ticketing system's encryption.



  • @JaredBusch said:

    I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

    Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.



  • @Carnival-Boy you are taking security to the point of interfering with running a business IMO. IT is a business expense, but there is a balance to it just like any other business expense.



  • Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

    I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).



  • @Carnival-Boy said:

    Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

    I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

    If you know how SMS works, your pants would be brown right about now.



  • Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?



  • @Carnival-Boy said:

    Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

    Well, you know, their password being broadcast on-air to everyone within a few miles of your user is up there in risk. Two-factor verification isn't quite the same as a password.



  • So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.



  • @Carnival-Boy said:

    So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

    There's still some risk. If someone's phone's being monitored, the person monitoring the phone would have some idea of who's it is. If someone's just absorbing all SMS traffic in a given area, it wouldn't have any particular meaning or value.



  • @Carnival-Boy said:

    @JaredBusch said:

    I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

    Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.

    That is the case with any secure system though. If you have a compromise it doesn't matter if you used email, secure download, KeePass, etc. That doesn't make email any better or worse.



  • @Carnival-Boy said:

    Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

    I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

    Very insecure. SMS I would definitely avoid. That's worse than sending it to their personal email.



  • @Carnival-Boy said:

    Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

    That's the second factor only. That's purely "extra" security above and beyond existing security. The point there is to send a one time code side band. It's only useful if you can combine the two bands and only for a moment. It could be announced openly on the radio and not be any risk.

    That Google uses it that way doesn't imply anything about it being safe.



  • The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.

    And are you sending to locked down end points? My SMS messages display even when my phone is locked.



  • I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.



  • @scottalanmiller said:

    I've written a bit on the evils of SMS.

    Link? I definitely don't understand the risks.

    Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".



  • @Carnival-Boy said:

    @scottalanmiller said:

    I've written a bit on the evils of SMS.

    Link? I definitely don't understand the risks.

    Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

    What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.


Log in to reply