We keep the (public) keys users send us for future communication. The session key is typically sent via registered snail mail or, in some cases, sent over the phone. We then use that key to encrypt all sensitive data we send to this user with his key. If you intend to keep the user's password, then you have a problem: your procedure is insecure (because you still have the user's password in reversible encrypted format) and you should spend energy on fixing that instead.įinally, if you really need to send secure information to the user then you will need some kind of initial secure channel and some way to perform encryption.įor instance, the system I'm working on creates a PGP key for the user (on his system) and uploads it to our server after we provided the user with a session key. This is the password that you will need in order to enter the database when you open the file, so make sure it's memorable but unique.
Choose a place on your local drive to save the. If you can't, you'll have to accept the initial period of vulnerability. Click on the File tab at the top of the window, and select New. If you can use encryption (S/MIME or PGP) then all the better. More sophisticated systems will force the first logon and password change to happen within a limited period of time before disabling the account. The usual way to handle this is to set a random password, force a password change at first connection and send that password to the user. I dont trust online password managers because they are closed source and companies have been hacked in the.
0 kommentar(er)
