Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’ve never had someone send me a password before. What do they need to send passwords over slack for?


I'm a contract worker and often times a company first onboards me to slack, then sends me a bunch of login information in plain text after opening an internal ticket to add me to various systems.


Oof, that sounds bad.

My current company has an internal ‘secret sharing’ tool kind of like Pastebin (but encrypted, one time open links, etc) for one off sharing of things like that. For all other creds we use Vault heavily.

PII, passwords, things like that are NEVER to go over Teams or email.


If these are temp passwords that get changed on first login and expire maybe it's not so bad. If it is a normal password though yes that is pretty bad.


"Oh, I forgot my AWS password, can you reset it?"

Fortunately, AWS from my example makes you set a new one after this. I'm sure there are other company-administered services with similar dynamics where the pwd change isn't required or the admin won't check that box because try are bad at their job


Even Windows has this, but there are a bunch of corner cases where it doesn't work.

The integrated RADIUS server can be configured to allow passwords that need changing (so that you can actually connect to AD and change it if you're away). But many other services, like AD-backed VPNs and such, will choke on a password that must be changed.


Start by not having a password manager that is universally adopted across the corporation.

Then maybe you've got a planned change that requires a manual operation on the production database, and you don't have the password already because it's rotated daily.

Maybe you need the agent license key for the monitoring system, so you can add it to the secrets file for the new host you're setting up.

Maybe someone created a new service and, and asked you to generate a new oauth2 client secret for it, and you need to send it to them.

Maybe it's corporate policy that every laptop must have an encrypted disk, and you've mailed a new remote worker a laptop and now need to send them the disk password by a different channel.

Maybe you occasionally need to work with some decrepit system that doesn't support single-sign-on - like a server's IPMI or some obscure bit of network equipment.

Of course there are better options than slack (which doesn't even have an off-the-record mode) but if slack is what everyone uses? Well....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: