Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Rate my Webapp: Securely send passwords (SendMyPassword.net)
5 points by harisenbon on March 1, 2010 | hide | past | favorite | 3 comments
Site: https://sendmypassword.net/

Details: At my work we spend a lot of effort and time trying to get passwords to our users (Faxes, telephone, having them show up in person, etc).

After trying to think of a better, more secure way, I came up with the app above. You enter your password (or generate one) and it saves the encrypted PW in a database and gives you a link to access that password.

After the password has been accessed, it is deleted from the database, so you can be sure that the user is the only one who has seen it.

The passwords also expire within 24 hours, so even if the user does not view the password, it will be deleted automatically.

The entire site uses 256-bit SSL security, and at work it's cut down on password-related troubles quite a lot.

I'd appreciate any feedback on the app. Thank you very much.



Can you please define the pain that you're solving with a little more granularity? Is the issue the friction of getting the password to the user, or is it a security thing? If it's a security issue, there's still the problem of key distribution (rather, PIN distribution).

When I look at this quickly, I think, "hmm, email solves the distribution concern. And this isn't really a secure solution, so it doesn't solve the security concern." So what are you solving?


The pain is the inability to quickly and easily send passwords to users. Faxes used to be the original way to send passwords, but now many places no longer have fax machines, and giving passwords over the phone leads to mistakes and it is often hard for users to recognize long passwords with upper/lowercase as well as punctuation.

The main reason that sending passwords through email is insecure is that :

a) the password stays in the mailbox of the user, and can be read at a later time

b) if the mail is intercepted by a hacker, the user will never realize that the mail has been read, and the hacker has access to the username/password

SendMyPassword.net produces a link that is safe to send to your end user over email.

a) The link can only be used once, so the user can be sure that the password was not intercepted

b) The link will expire after a certain amount of time, so that even if the user does not view the password, no one can come by later and retrieve the password.

c) The entire site is SSL secure, and all passwords/links/etc are encrypted, as security was our main goal.

I'm curious: How do you mean that this is not a secure solution?


Fair enough, I was just curious exactly how you saw the issue.

My concern on security is how do you transmit the PIN used to view the password? Unless I'm misunderstanding, and it's something more akin to pushing a password to another user's account.

I think your product does a good job, I'm just not sure if the pain is sufficient to overcome the additional complexity of requiring yet another transaction to a third party. What advantage does this offer over a tokenized link that allows you to set your password? It could also expire on opening/set time, which would address the email/security issues above.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: