89

Every year an automated password reset occurs on a VPN account that I use to connect to the institution's servers. The VPN accounts/passwords are managed by the institution's IT department, so I have to send an email every year to follow up with the account controller in order to get the new password. This always ends in a phone call, because their policy is to not send passwords through email.

I have a vague understanding of why sending passwords through email is bad, but honestly I don't understand why telling someone a password over a phone would be any better. Assuming I have a 0% chance to change their policy (I really have no chance), why would telling someone a password over a phone call be more secure than email?

I am primarily focused on the ability for phone/email to be intercepted by a third party, but @Andrew raised a good point about the permanency of email.

There is some great information in this Q/A, but that question is about the most secure way to send login information, while I'm specifically asking about phone call vs email security.

Chris Cirefice
  • 1,460
  • 2
  • 13
  • 21
  • 33
    A phone call is usually not recorded for indefinite history, whereas an email is usually not deleted. The transport security of either depends on a lot of things (phone: was it a landline, 2G/3G/4G, VoIP; email: does SMTP use TLS, does the client use TLS, etc.) – Luc Aug 16 '18 at 17:44
  • 19
    @dandavis Just because your connection to gmail or whatever is secure does not mean the message will be encrypted all the way to the destination. https://superuser.com/questions/260002/why-are-email-transfers-between-mail-servers-often-not-encrypted – nasch Aug 16 '18 at 22:47
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/81926/discussion-on-question-by-chris-cirefice-it-will-only-give-password-over-phone). – Rory Alsop Aug 20 '18 at 08:33
  • 2
    If only there was a secure channel ... such as the already existing VPN – Hagen von Eitzen Aug 20 '18 at 21:52
  • 1
    A couple of key points to remember when talking about passwords being more secure is that if the end user has the phone on speaker, repeats the password or writes it down so they remember it the extra security from it not going over email can be lost especially if it is a password they are not forced to change or can't change. Another key point is that not everyone can use the phone such as deaf, hearing impaired and people who have lost their voice for some reason which means that other means of giving the user a password is needed. – Joe W Aug 21 '18 at 00:48
  • 1
    Actually having someone on the phone giving you the password is already 1 person too much knowing this password... And is an indication that this password reset is managed in such a way there is somewhere a list of all these passwords in clear-text (or whatever 2-way encryption). I'm surprised they go over such an hassle when the whole process already has from the beginning some security flaws that I find more concerning. And I'm not a security expert... – Laurent S. Aug 22 '18 at 14:11
  • An additional reason could be verification if there is still an actual person using the account. A threat model could be an account hijacking, where the original user does not even use the account anymore. - In this case the attacker would need to simulate a complete personal conversation, which is much harder for a botnet or a non native speaker who might have compromised the account. – Falco Aug 22 '18 at 15:24
  • One crucial aspect of 2FA is that the factors need to be totally independent streams of delivery. Thus a 2FA authentication that is a password plus a smart card, or a password plus a key exchange, is not really effective. All three are fine authentication methods, but combining them isn't enforcing two factors. A phone call would do this (assuming you aren't answering your phone via a desktop app) as well as the added benefit Andrew Greer mentions of not leaving any record of the phone call audio. – Anthony Aug 23 '18 at 03:08

12 Answers12

121

Emails are saved somewhere, whether it be on a mail server or someone's personal computer. Phone calls usually are not, unless it's a customer facing environment.

RocketSEA
  • 1,150
  • 1
  • 7
  • 9
  • That was my first thought as well. Another thing you might elaborate on is the transport security of both methods. (See also my comment on the question.) – Luc Aug 16 '18 at 17:44
  • @Luc That's what I was actually focused on initially, but Andrew makes a good point about the persistency of it all. I was originally thinking about how an email or phone call might be intercepted by a third party. – Chris Cirefice Aug 16 '18 at 17:47
  • @ChrisCirefice - While certainly, the phones could be tapped, it's far less likely than the computer systems being compromised. Especially if there's a land-line involved (...although these days, not likely to have a land line, but many businesses may indeed still use them). – BruceWayne Aug 16 '18 at 19:39
  • 2
    Easy to read an email over your shoulder, not as easy for a phone call. – Der Kommissar Aug 16 '18 at 20:22
  • 44
    As a matter of policy, my company records *all* phone calls, incoming and outgoing. The records are saved on the cloud behind credentials, and if an admin or the user who made the call wants, they can download the recording and send it via email. While it's not a common occurrence, it does happen. – JM-AGMS Aug 16 '18 at 20:27
  • Company internal phone calls maybe not recorded. However, some countries order phone equiment with massive storage capacity. – Thomas Weller Aug 16 '18 at 23:13
  • 12
    @JM-AGMS Even in that case, it's harder to scan a whole audio repository for a password than a text repository. Although... I guess you could pass an audio-to-text process to the whole thing and then look for words similar to "password" – xDaizu Aug 17 '18 at 11:31
  • 2
    Unless you're careless with your PGP password, nobody else should be able to decrypt the email in the foreseeable future, so why is the storage a problem? – Toby Speight Aug 17 '18 at 12:08
  • Or a tla eavesdropping – PlasmaHH Aug 17 '18 at 17:55
  • 3
    It's illegal to record phone calls. This has been on the law books since shortly after there were phones. In some states it requires all-party consent. In other states 1-party, but that still means the system can't record all calls with 0-party consent. If it's an interstate call, *the most restrictive law applies*. – Harper - Reinstate Monica Aug 18 '18 at 00:01
  • 4
    @Harper That is just the USA. In the UK it is common for phone calls to be recorded with just notice, rather than consent. – Jon Bentley Aug 18 '18 at 23:26
  • 2
    @Harper: Also, when using a company phone, it's often considered company business, and the company _is_ informed. – Mooing Duck Aug 20 '18 at 00:22
  • 1
    @Harper Surely you've called a company and had them notify you that "this call may be monitored/recorded for quality assurance purposes" before? It's certainly not illegal for them to record those calls. – Sparksbet Aug 20 '18 at 05:49
  • *Exactly*. They need to notice you of it, and if you choose to stay on the line anyway, that's consent. They can't just go "la la la, we're the company and own the switchboard and we give consent". Email may work that way, but the wiretapping laws are a bit older and were written when companies weren't people. – Harper - Reinstate Monica Aug 20 '18 at 06:58
  • 2
    Another important aspect is to have the username and the password go through different channels: the IT department **will** make typoes from time to time, but as long as both the typoed email address doesn't belong to the same person as the typoed phone number (it has to be the IT that initiates the call to the number listed in the official directory), the full credentials won't ever leak. – Bass Aug 20 '18 at 20:02
  • 2
    @TobySpeight security policies aren't and shouldn't be designed with the assumption that your population is security-conscious (i.e. using PGP keys) – mattliu Aug 22 '18 at 06:48
  • For any company dealing with Europe, GDPR is a much better reason (and I'd love to post this as an answer). By sending an email, the company must comply with the law regarding the storage of this data. This has a significant number of headaches associated with it. Keeping track of emails is common place. If the company does NOT record the phone call, it doesn't fall under GDPR; and as such much less care is required. – UKMonkey Aug 22 '18 at 11:46
58

This policy is common where usernames and passwords are sent via separate channels.

It doesn't matter which channels just as long as it the authentication pairs are split apart and sent via different methods.

This is the accepted best practice because intercepting the right two channels is much harder than watching one channel for the authentication pair to simply pass by.

The reasoning behind this is password changes are not just when you forget a password but when there is suspicion that an account has been compromised. For this reason password changes are done "out of band" to ensure that password updates are not easily captured.

In the world of IT security it is sometimes not about being perfectly secure. It is acceptable to be just hard enough to have attackers go try somewhere else.

Ben
  • 591
  • 3
  • 2
  • +1 Adding to this: If it's easier for an attacker to defeat the password reset mechanism than to guess / phish your password, then your site isn't really password protected, is it? – Mike Ounsworth Aug 21 '18 at 17:35
  • 2
    Agreed (and upvoted!): the answer is "separate channels" :) I'd slightly nitpick the last paragraph, though, in that it's not so much that people will "try somewhere else", as that "defense in depth" is all about layered security, no one layer of which can be a complete defense against all possible attacks. – Dewi Morgan Aug 23 '18 at 14:19
56

Emails may (though as @Luc points out, not always) be sent in plaintext across the internet. That means they may be logged by your email provider, your ISP, your recipient's ISP, your recipient's email provider, or any of the networking equipment in-between. As the sender, you also have no control over who is looking over the shoulder of the person as they open the email.

With a phone call, you have more control over verifying that you are talking to the correct person, they can can refuse to answer if they are in a public place, etc. Plus, while there are no guarantees that it's not being recorded, at least there's a good chance -- unlike email which has 100% chance of being in some database somewhere.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • 5
    However, a lot of VoIP is transported unencrypted over LANs and the Internet. And on the TDM side of the phone network, there's no encryption or authentication whatsoever. – user71659 Aug 16 '18 at 18:07
  • 5
    @user71659 Fair enough. I have no experience in telephony. With text logs from email servers etc, it's super easy to ctrl+f for passwords. Assuming an unencrypted telephone network and / or VoiP packets, is it similarly easy to extract the password? – Mike Ounsworth Aug 16 '18 at 18:09
  • 3
    Note that we are talking about a company here. Presumably internal email will never leave their premises. So yeah I point out that it's not always sent in plaintext, but for completeness, in this particular scenario it's actually *likely* that it is sent securely. Phone calls, on the other hand, almost always leave the premises since people usually only call via mobile phones these days (again, the case is different for internal VoIP or DECT, or in the case of CCC: GSM) – Luc Aug 16 '18 at 18:23
  • 1
    @MikeOunsworth It's certainly harder to deal with speech recordings (paying somebody to transcribe on Mechanical Turk is an idea). However, if everybody is resetting at the same time of year, you can, for example, filter the SIP and recording streams for short calls to the IT helpdesk. – user71659 Aug 16 '18 at 18:24
  • @Luc If you assume internal e-mails don't leave the premises, an internal PBX call wouldn't either. The IT desk can do something like only call you at your desk as listed in the company directory. – user71659 Aug 16 '18 at 18:25
  • @user71659 Don't people usually use mobile phones instead of desk phones these days? I might be wrong, I haven't done a survey across thousands of companies around the world, but in my experience you usually get a smartphone issued with a regular number on a national network, and that's your primary phone number for the company to reach you. – Luc Aug 16 '18 at 18:26
  • 5
    @Luc Not in the US. My opinion is a desk phone is more comfortable to use, has better acoustics, doesn't use heavy speech compression, doesn't have dropouts. It's a far more professional experience. You also have issues when somebody needs to call 911, and with coverage, like an office in a basement. The US also, until a few years ago, had tax issues writing off cell phones. – user71659 Aug 16 '18 at 18:29
  • 1
    @Luc Bit of a catch-22 there: when you reset your VPN password you get the new one over email, which never leaves the corporate network, which you need to VPN in to access. It sounds like the OP is sending emails to IT from outside the VPN and wanting the password to be returned that way. – Mike Ounsworth Aug 16 '18 at 18:32
  • @Luc As for mobile phones, my company also uses VoiP desk phones / software where I presume traffic for internal calls stays internal to the corporate network or at least the VoiP provider's network. – Mike Ounsworth Aug 16 '18 at 18:40
  • 6
    @user71659 A VoIP attacker needs to have a pre-established presence to proxy the session, have access to dump an intermediary network interface, or is stuck trying to falsify one party and force a session renegotiation live. You need to have a fairly significant presence or a lot of set-up time to do that. It's certainly not impossible, but I'd call that a much more sophisticated attack, and most certainly one that's much more difficult to do without leaving evidence. – Iron Gremlin Aug 17 '18 at 01:06
  • @IronGremlin And how are those different from intercepting e-mail in transit? It's all IP traffic. – user71659 Aug 17 '18 at 01:07
  • 1
    @user71659 Because it's a pain in the ass to route a VoIP call over a proxy even if you're doing it as a legitimate and authorized proxy that both endpoints are aware of. – Iron Gremlin Aug 17 '18 at 01:15
  • @IronGremlin I don't get it. SBCs are standard in any architecture when you leave the enterprise. If you got TDM, you got a media gateway. Asterisk is a B2BUA. If I make a conference call on Cisco CallManager, it automatically inserts a conference bridge transparently. When my softphone is off our LAN, it automatically tunnels through Cisco Expressway. When I call from my VoLTE phone, it sets up an IPSEC tunnel to the P-CSCF. When I hit hold on my phone, a SIP re-invite basically sets up a new call with the hold music stream... – user71659 Aug 17 '18 at 01:19
  • @Luc your assumption that emails don't leave the premises is sadly no longer true (even assuming the user doesn't download them from offsite). Here our email system is handled by Microsoft's servers; at the last place it was Google. – Chris H Aug 20 '18 at 12:09
  • @ChrisH That's included in "Not leaving the premises": if you trust them with all your email in the first place, then it's not going to make a difference that they also do the internal transit of emails. – Luc Aug 20 '18 at 15:03
  • For non-VoIP cases, unless you're using special hardware, the audio is almost always sent unencrypted; you might point at e.g. mobile phones and say that there's encryption, which is true, but it only covers the radio part of the call. On the telephone network itself, it's unencrypted and can easily be intercepted by anyone with network access. Also, in the case of the "unencrypted email on the Internet could be logged", while technically true, the fact that the network is packet switched means it's often only practical for those parties whose equipment is *necessarily* in the data path. – al45tair Aug 23 '18 at 12:38
  • @alastair Agreed. I don't think anybody here is arguing that it's impossible to eavesdrop on telephony, or that it's always possible to intercept email; just that _in general_ it's easier to get your hands on and mine passwords out of email text data compared to voice data. – Mike Ounsworth Aug 23 '18 at 21:35
  • Definitely easier to mine text data rather than voice data (though converting voice to text isn't beyond the wit of man). As for getting your hands on it, it's very situation dependent; in particular, if any of the traditional, low-tech approaches are an option, then it's really very easy compared to any kind of hacking/network-access-required situation. I tend to think the security of telephony is overstated and that of email understated because lots of us focus too much on the digital side of things and forget the old-fashioned stuff. – al45tair Aug 29 '18 at 15:13
32

Even if both the email and phone conversation are recorded, it is orders of magnitude easier to search an email database for "password" than it is to search voice recordings.

However, best practices say that one, and only one person should know the password for an account, and that is the person who owns the account. The admin should not know it, nor should the server (i.e. hashed password).

The usual way to do this would be: if the password has recently (for a given value of recently) expired, the user can use their old password, but immediately on being authenticated (before logging in), they are forced to change their password, then immediately disconnected. If the password has expired some time ago, the administrator can mark the expired password as "recently expired" for a short period of time - (e.g. 10 minutes). The administrator does not need to know what this password is. If the user has forgotten their password, the administrator can issue a short time (e.g 10 minute) password which also forces immediate change of password.

Also, if a user has changed their own password in the last year, they should be exempt from the change (until exactly 1 year after their last change).

The theory that a password should be changed once per year is also exceedingly dubious, in most cases - if a password is compromised, it is usually maximally exploited immediately. Only giving an attacker "only" 6 months of access (on average) seems fairly pointless (or "only" 6 days for that matter). This suggests 2-factor authentication, with the second factor being unique each time (Google Authenticator, OTP, OPIE, challenge-response etc), if the resource is worth protecting.

An admin should not know a user's password, if it can be avoided. If needed, they should have the ability to become another user with their OWN password, which is then written to an audit log. This is especially important if there are several levels of "administrator" (i.e. if there are people who can change passwords, but not affect the audit log).

Minor obfuscations (such as security by audio, image etc), are dangerous, because they foster complacency without security.

AMADANON Inc.
  • 1,501
  • 9
  • 9
  • 16
    Yes, though it would be easy enough to add a hurdle here by only sending an image file with the name `kitten.gif` which actually contains a “screenshot” of the text `new password: pwd1234`. A determined attacker will be able to crack this just as well as a phone recording, but not simply with `grep`. Either method is only security through obscurity. – leftaroundabout Aug 17 '18 at 13:22
12

In a secure system, passwords provided by IT should only be temporary, one time use only, random strings, so the user has to immediately type it in and change it to their own new secret password. IT should never know or transmit a user's "real" password.

Users need to be vetted prior to the reset and that is much easier done by voice call, ask a question, get an answer, done.

Even if the temp. password is overheard on a call, there would not be any time for it to be used. Emails, however are sometimes neglected for some time before being read, giving an attacker the chance to do their worst.

Additionally, a recorded voice call can be used to identify if a user has been impersonated later on, whereas you can't tell who looked at an open email screen or remote email server.

My 10 years of experience are in a financial institution environment so this level of security may not be economically justified if security needs are less stringent. Paying for IT bodies is expensive and most systems/apps are going to web based security anyway, so the days of IT password resets by voice are numbered in any event.

  • 1
    I agree with your answer, but sadly there is no password management from the end-user side in this VPN system. So IT sets the password and the changes it every year. It’s not a secure system in the slightest, since IT knows all user passwords. Worse, the password wasn’t high-entropy (8 characters and 2 numbers, no symbols). – Chris Cirefice Aug 18 '18 at 15:47
8

The security of an email is hard to establish. The email is most likely kept in archives (there are even some regulations for certain companies). So sending a password in an email is a bad idea from that standpoint. Email intercept could also happen.

Phone on the other hand, is less likely to be recorded, but phone intercept or recording could exist. So it isn't that great of an idea. I read a comment that land line are harder to tap than computer systems - I would disagree. Taping a traditional phone line is much simpler than hacking a remote server. VOIP phones require new technique but not that hard either - plug a hub, connect your PC to one port of the hub, and you now have a copy of all packets, and VOIP decoding software abound. It's probably harder to intercept a cell phone signal, but I don't know, haven't done it.

One (maybe perceived) benefit of using the phone over the email is the assurance that you are giving the password to the person you want to give the password to. Being a system administrator myself, who has to reset passwords, this is something I can attest to. If you send an email, you don't really know who is on the other end. It could be a spoofed email, hijacked account, etc. If you know the person, you can recognize the person's voice. You can ask some questions to verify authenticity (you could do that on email too but there is a safety feeling when doing it over the phone).

Now, having an Administrator set a password and that remain the password and not let the user set their own password is really bad practice in my opinion due to these factors of now the password has to be transmitted and whatever is transmitted is going to be the password forever after.

ETL
  • 631
  • 5
  • 8
3

Is there more to the policy? In many organizations they will give a new password over the phone but they must know the persons voice and answer a question (who is your boss, when was your last review).

It's somewhat similar to a multi-factor authentication process.

Joe M
  • 2,997
  • 1
  • 6
  • 13
2

The logic I use when insisting on using phone or text to send the password is the fact it's a second channel.

Even with all of the insecurities detailed above of email, if the email was sent with only the password in it, there is not enough information for malicious use. However, if you intercept an email that has a similar meaning to "Your password for account xxx on service yyy has been changed to zzz", you have everything you need to access the account.

Sufferer
  • 19
  • 1
  • 2
    You're assuming the email is coming from an address at a different domain. If an attacker gets an email with a password from "noreply@example.com" to "alice@gmail.com", the first thing they would try is signing into example.com with username "alice" and the password from the email. – AndrolGenhald Aug 16 '18 at 21:55
1

At the moment, it is far easier to intercept an email. This can change in the future, but for now:

  • Emails are designed to be stored for arbitrarily long periods of time. You can expect that at least one, if not several servers saved off all of the data.
  • Emails are easier to process. Identifying emails containing passwords is relatively easy. Identifying them in phone calls is harder. If an adversary is listening in, it's obviously going to be trivial to capture the password. However, listening in requires more resources.
    • At some point, AI is going to make this much easier. But that does not seem to be the case at the moment.

It really does depend on your threat model. How valuable is this password? I would assume the banking credentials of a billionaire would be protected better than this, or classified information, but the smaller one is, the more the resources invested in getting the information start to matter.

Cort Ammon
  • 9,216
  • 3
  • 26
  • 26
  • It isn't easier to intercept an email. It's much easier to intercept a phone call over an analogue line than it is to get into the data path of an email transaction — and furthermore, email servers actually often do use encryption when transferring messages. – al45tair Aug 23 '18 at 12:41
  • @alastair Is that true even when one does not know which particular email or phone call was important? Offhand, it seems easier to capture and process a million emails than it takes to capture and process a hundred phone calls. At the very least we do indeed act on the illusion that what I say is true. In the US attorney-client confidentiality is legally protected if you took enough efforts to protect the communication. It is deemed "sufficiently protected" for a landline phone call, but emails are not. – Cort Ammon Aug 23 '18 at 14:19
  • 1
    Processing phone calls is certainly harder, but I think capturing calls is easier. I think if you concentrate on the computer/data networking side of things it might not seem that way, but then you've forgotten all the old-fashioned methods of listening in on telephone conversations, which are generally very much easier than hacking network gear to intercept packets. Processing isn't catastrophically difficult either (just requires speech recognition, or manpower; even Mechanical Turk would work). – al45tair Aug 29 '18 at 15:01
1

The main catch on a phone call is that phone calls are still susceptible to social engineering attacks, where a caller can cajole a trusted individual to give them access

On the phone, I selected an automated menu to “get help with logging in to my account”. The customer service rep, Christine, was very friendly and asked me for my email and home address in order to work with me to get access to my account.

I think we found our problem… Christine only needed these two pieces of information to get me into my account? No password? No mobile phone? No other piece of information? What’s keeping someone from finding my email and home address from a database and calling to take over my account?

So nobody can sniff out your email (potentially unencrypted), but all I need is their phone number and a little bit of info about you and I could be doing this

Hello, this is Chris Cirefice. I've lost my VPN login again. I coulda swore I wrote it down, can you give me a new one? Wow, that would be great, let me get a pen and paper...

Machavity
  • 3,808
  • 1
  • 14
  • 31
0

There are several good answers about why sending Password = -value- in an email are bad.

BUT

No one is mentioning that if the password is simple enough to easily be communicated by voice it is probably not complex enough to be effective and the receiving party is probably going to write on a piece of paper...

Related XKCD #936: Short complex password, or long dictionary passphrase?

James Jenkins
  • 723
  • 1
  • 5
  • 10
  • 6
    There's nothing wrong with writing passwords on a piece of paper. A lot of secure information gets written on pieces of paper. It's what steps you take to ensure that only the right people can see the piece of paper that matters. – Michael Kay Aug 17 '18 at 22:03
  • 2
    Given that communicating long serial numbers or contract support numbers, 16+ characters in length, is fairly routine over the phone, I don't see why communicating a 16+ character password would be more difficult. Yes, they will write the complex password down but they will do that anyway if they get it via email. – doneal24 Aug 18 '18 at 16:05
  • @DougO'Neal A password should also contain special characters, the names of which most people (or at least me) are not familiar with . – James Jenkins Aug 18 '18 at 23:54
  • 5
    Also, nobody seems to be questioning the notion that the user isn't allowed to change their own password to something only *they* know. – Michael Aug 19 '18 at 16:19
  • @schroeder read the question again. This is not a temporary password, this is an annual required change, with the password provided by the caller. The OP does not have the option to change it. – James Jenkins Sep 23 '18 at 23:42
  • The question does not say that the users cannot change their passwords. But a subsequent comment on another answer provides that information. Still, 4 random words are more than enough complexity. And people know what a "space" and punctuation marks are. As people are going to be entering the password in a configuration file of their VPN client, it's going to be "written down" anyway. – schroeder Sep 24 '18 at 06:49
-4

Emails are generally not saved, however wireless signals can be hacked, as well as wiretapping landlines. best way to do this is with an https website.

  • 6
    Welcome. "Emails are generally not saved" - this is an odd opinion to me since email servers will log or store emails for extended amounts of time (certainly more than a year), and the emails will exist in the sender's "sent" box until specifically purged. Yes, Wireless signals can be hacked, but the skill and timing involved seems to be a significant barrier. – schroeder Aug 19 '18 at 21:54
  • Companies are not-uncommonly *required* to save emails. And from my experience, they'll do it even if they don't actually have to. – cHao Aug 22 '18 at 02:20
  • :-) Emails *are* generally saved, one way or another, sometimes long-term. However, I think the crux of the matter here is that it's a good bet that most attackers will not be able to compromise both email *and* telephony, so using two separate routes to communicate username and password is a security win. This still won't protect against all attackers; if your adversary is a nation state, you might want to take still more extreme measures. – al45tair Aug 23 '18 at 12:45
  • IT WAS A TYPO OK – bluninja1234 Sep 08 '18 at 23:26
  • MINUS THE NOT PEOPLE SORRY GUYS – bluninja1234 Sep 08 '18 at 23:26