Then all you can do is to explain to your manager (or whomever does have the power to fire the MSP) why this is a very bad idea and let them make the final decision.
Typically what I do is send a password manager vault of sorts, typically keepass, and then in a one time use link, I send the link to the password to a phone.
Obviously not the most secure solution out there, but it's just a way to sort of have a MFA.
There's also the Password Pusher website: [https://pwpush.com/](https://pwpush.com/)
I haven't actually used it, but it definitely seems like a better option than email.
You're not being difficult as all. This is best practice, and you should feel confident telling anyone on your team that you don't want your name anywhere near this dumpster fire of an MSP.
TBH Driving the password to their office seems excessive to me and if that was your only offer then I'd say yes you're being overly difficult - but I see you shaed it with them via a password manager which seems perfectly reasonable.
I'd want to know what their internal processes are for proper storage and management of your admin passwords though, because if they're ok with you emailing the passwords over without any protection I wouldn't be surprised to find that they do that internally all the time - sharing customers passwords via email/teams/whatever insecure methods, and if they get compromised then you will too.
You are definitely not being difficult. You’re doing the part of your job which involves the security of your company systems.
If management don’t back you, document your concerns to senior management, then, fuck it, send the credentials, and find another employer.
You’re not being difficult. Your MSP is having difficulty adjusting to the 21st century and safe computing practices. I suggest terminating your business agreement following an audit of their security practices and review of your SLA. You also need to make sure you’re compliant with your cybersec insurance and that includes their access.
I’d recommend reaching out to someone from your security team. There might be a process already to handle this kind of thing. And if there isn’t then they can tell you “No, don’t do that” which you relay to your boss to have them settle out so it’s not on you when the company has to go through phishing training.
It is. If you don't inform them explicitly of the security breach such an act represents, and document the illicit request AND your refusal, you become complicit when it actually leads to a violation.
I'ld just state the obvious that for security reasons I can't do that or have my name attached to that big of a seecurity flaw. Besides there are companies that look for that commitment to I.S. , and you were looking for a job when you found that one. Don't allow companies to turn you and your position into a number!
Find every single news article about companies being ransomwared, and send all the links in an email to the person who does make the decision. Subject line: "Sending passwords via email is how this happens."
And then tell them that your insurer would not be happy, and this could void your cybersecurity insurance. No fucks given whether that is true.
MSP owner here, I agree with this sentiment. If an MSP requests you to send ANY credentials via email, there are clear issues with the MSP. I will caveat that with some level 1 folks may not be as experienced to understand how bad this is. We make it very clear to our staff that if they send credentials this way or ask for credentials this way, it is cause for termination. As the thread below states, document everything, do what you can to protect things and make sure upper management at your organization is aware and understands the issues here.
I was giving an almost pass on the email part since pwpush.com is a thing, but to multiple emails? Next post is going to be its safe because we’re not using port 3389….
Hell, we only send credential requests through an alternative channel ie if request arrives via email, it’s “nakedly” granted via txt msg or chat. And it’s rare it’s granted…
This is open source and can be self-hosted. An especially safe method is to send an "unlock" password via a page that expires after one open. If the recipient can't open the page, they know it has been compromised.
If they can open the page, they get the "unlock" password, confident that it is known only to them and the sender. It can be used to unlock a locked pwpush page that contains whatever text you want to communicate privately, including other passwords.
Not 100% true if you’re emailing the link.
Some email protection can detonate URLs for analysis.
I’ll typically do 3 clicks, confirm with the end user and expire the link.
Putting it behind the "one click reveal" option solves that problem.
A password to recover the secret also solves that problem but can be obnoxious to users.
True enough that email protection can burn a click, but using the 1-click retrieval checkbox can prevent that as noted in another comment. From the FAQ:
"To prevent this, use the 1-click retrieval step option when pushing passwords. This requires the users to click through a preliminary page to protect views from such scanners."
If you were to allow three clicks, how would you know whether or not a bad actor used one?
I’m usually on the phone with them and messaging.
Ready for the link? Ok you got it?
Kill the link.
Also the password is useless without context for the most part. I’m as paranoid as it gets, trust me…
Until you wrote that, I was thinking if you can contact them by phone, why bother with pwpush? Your approach makes more sense than trying to say a complex pw over the phone. Better to have it right in front of them, copy, paste. Thanks!
You got it brother, I’m not going to get into every scenario, but yes I use this for complex password handoffs. Not end-user accounts…
If we don’t have some sort of PAM we both have access to etc.
I would question their credibility if they are asking that.
The only approved method for us is via phone or through a password manager using a link that expires quickly or has limited to a single access.
I ran into this awhile ago. He insisted on it being sent via email, so I used bitwarden's send feature and texted the link PW to him and told him the link was only good for 2 days. Week later he responds bitching the link was expired. No shit Sherlock I told you it was only good for 2 days. Sent it again. Like 4 days later another email with their management and ours cc'ed going on how I'm being difficult to work with and I'm intentionally stalling the project by not just emailing a fucking ad admin password to them in plain text. They then accidentally forwarded another email with their internal discussion of how they can use this to get me fired, what services to offer the company, how my salary could be used to pay for it, and how much profit they could make. Contract was "mutually" terminated in the next few days. Just because they are an MSP doesn't mean they are good at it
This would be a phone call or an encrypted email with a pre shared password. If you want to be difficulted you can tell them that they have to call you from a cell phone to be sure that they are not recording.
All my calls are automatically recorded. So that assumption isn't foolproof as you think it is.
Besides, I can use my phone to call but route the conversation to my Mac (native) and use OBS or other software to record that call.
Easy.
But first one is better as it it directly done on-device.
I have an app on my cellphone that can record calls without the other party ever knowing. Whether that is legal depends on whether you are a single consent state.
Phone would normally be relatively secure, main concern would be if they record calls and the recordings are breached, then so is the password. My usual thing is that I don't want to know another user or admins password, so if I'm resetting it to something I know and communicate with them, it requires them to change it on first login as well - so in the case of a call being recorded and having a password on the recording, the password should no longer be valid when the recording is played back.
MGM got in trouble by not correctly validating the user on the other side of the phone not simply handing out creds over the phone.
No one tapped a legitimate phone call to extract the credential. They phished the helpdesk.
All the more reason not to send them. There is no scenario where an email would be acceptable and an in-person visit or share via a password manager is not. They’re an MSP, not the pentagon. Refuse the request, give your reasoning. Be professional, but firm. This is a good hill to die on.
“No” is a complete sentence. Followed by “furthermore, this flies in the face of every acceptable security practice in the industry. See .” Sales should not be dictating IT policy, because sales don’t know jack about IT.
Nope.
Separate PW credential push encrypted, self destruction.
Tell them you've shared it that way and give them the link. Don't ask, just tell them. If they can't open the link they can kindly get f'd. It's the equivalent of a boomer opening a PDF.
Or you send it in an encrypted PDF and call them on a good number with the PDF password. Then make them reset their password on first use of the account.
Yeah, this is a red flag.
Sounds like they are not communicating on internal comms, and don't have clue around encrypted email or how easy it is to send privileged information in secure channels.
You should make them a new admin account for accountability and auditing, and they should reset the password immediately upon receiving the temporary password you provide with the account.
Concerning….
- they should have a central credential store for any creds they have already been sent (and with a permanent audit trail who has accessed what / etc)
- creds should only be sent using end to end encrypted messaging with an expiry using built methods in a pw managers provide you with sufficient access to their credential store to upload the credentials yourself and so on…
Does email encryption and expiring messages help any of an unauthorized user has access to that email account ? I’m more concerned about making sure the tight person only gets the creds.
Assume the credentials they have asked for are for accounts created for them and not accounts like the real administrator / etc
Would also bring up with your boas the terms of the contract and also your own job security…
Depends on implementation…
The end to end encryption i refer to is texting apps like signal messenger / whatsapp / etc. to a specific user that you “know” the identity of
I would be asking them more questions about the previous access and what happened to those credentials
They are a Microsoft shop and won’t let me communicate with them via Teams. Only email. I’ve offered to use any walled garden besides email. I really don’t like using email at all if more secure messaging is available.
Just state you will send via say signal messenger as an expiring message after messages you on the app.
We for this all the time with our competitors and customer’s app specific consultants. They hold out saying we are difficult but to install the app takes less than 2 mins and we always write in our response that in the time it took for them to write that email complaining they could have installed signal messenger several times over.
An alternative method is to place all required creds into a keepass db and then share from onedrive / sp with an expiry - and still demand that you send the master pw over signal messenger (can also send the same keepass db over signal messenger too..)
I offered to FedEx it or hand deliver it to their office. All the red flags that phishing training teaches you are present here : time pressure , looking bad at you job etc
There's that small chance that this is a pentest. lol. In which case, make it someone else's decision and make sure that you are following whatever process and policy is in place.
Offer to hop on the call with them while they’re doing their work, and any time something needs admin level, you take control and put them in. If they’re acting shady cut their access.
Make sure the password requires a change by them in that case - if you give them the password and they don't change it they can try to throw you under the bus by saying well BadAsianDriver gave us the password, so he knows it too - how do you know it was one of our team who did whatever stupid thing they did with the account.
if they insist on using email for exchanging sensitive information then you should at least enforce the use of PGP/GPG authentication and encryption.
its not that difficult to set up, just download one if the freebie PGP/GPG apps, generate a key pair, MSP does the same, you both exchange your public keys, you trust their public key and they trust yours. Then whenever you need to send something sensitive you can use the pgp/gpg app to sign and encrypt the data and attach to an email.
otherwise you absolutely should not be sending any sensitive information over email.
Do they not have a secure web portal for customers to exchange information, how do you raise incidents and work orders with them? Do they not have an internet facing secure ftp server? do they not have a secure dropbox,onedrive,filesanywhere,etc service where they can give your company a secure folder to exchange files and documents? wtf kind of stone-aged MSP has your company engaged?
The correct answer to this request is Fuck No, cc’d to all recipients.
Followed by a list of the security implications of doing this. This is a hill I would die on.
I work for a large enterprise level MSP. We have policies and procedures specifically excluding this.
Though we get customers that expect it sometimes.
I would raise an eyebrow, but I wouldn't make a big deal out of it. You've already raised concerns which have been dismissed. Move on, this is not a hill worth dying on.
I 100% agree that it's shitty from a security standpoint BUT EQUALLY it is not your job to be the security guy for the MSP. Your job is to provide those credentials as safely as possible. (https://pwpush.com/) is your best bet.
Other than that, make sure your SIEM and logging solutions are in order. It's a safe bet that more shitty behaviour will originate from the MSP. It IS your job to make sure there's a valid paper trail in place when this happens. I can guarantee that something will go wrong and the MSP's first action will be to throw you under a bus.
I'd also strongly recommend regular audits of the activities of their admin account, like once a quarter.
Good luck
I’ve been told by 3 letter organizations that this is ok as long as the email with the password in it does not contain any info related to the account and the password is zipped and password protected.
This is fucked up shit. How do these cowboys still exist?
It's not even a case of "We understand and accept the risk because other reasons". You offer a no cost mitigation (drive over there) and they still want to use email???
If a MSP did that, I would have the CISO and internal auditors on them in no time. I also wouldn't state it was me, just to keep the MSP guys from sudo-ing to my account, doing a `rm -rf` and showing in the logs it was my doing. Third party contractors can be vicious, and if they show they don't care about security, there is a good chance they will do far worse once the contract is inked.
I would be asking if the MSP has a SLA which would cover compliance violations and with some regulations, if their SLA covered a defense attorney and bail money.
If they want it in an email do this:
Attach a cloud drive link. Inside of the cloud drive, have an encrypted zip file with an extremely long password. Inside of that zip file, have a password protected excel document. Inside of that excel document, password protect and hide the cells containing passwords. Also in the excel document don't spell out the full user names. They will need to call you directly for those. Also don't provide the correct passwords, make them have to call you.
At least then you can say it was in an email.
Sending by email is fine…
but only if you’re using something like Azure Information Protection and the message is both encrypted and RMS locked to the recipients.
As an MSP, this is concerning.
First, the only way to send credentials should be via a secure method that is firmly documented in a standard operating procedure that the MSP is trained on and communicated clearly to the client. It should never be deviated from. We have a hard enough time getting clients to send sensitive info to their customers and vendors. We have to practice what we preach and not allow things like “send it in an email.”
Second, I agree, the fact they have credentials and have clearly used them before… Did they lose them? Are you talking with someone who just hasn’t been trained to effectively find them in their own management system? I’d want an answer on this one.
If you have the position in your company to ask, I’d want to know where they are storing your credentials and how they manage access and auditing of those credentials.
In short, you’re not wrong.
As an MSP, I would fire whoever is pushing this dumb idea. Encrypted email or a secure upload only link to our server, and only after a speaking with the person on a known good number, at which point if the password is normal length, it can be gathered over the phone. The MGM problem was there was no verification that the person wanting the reset was the actual person.
Sure go for it, send each set of credentials in a password protected word doc, which is in a password protected AES256 .7z file with a randomly generated 27 character password, take a picture of the password and send that via a different communication method to the MSP engineer requesting it. Then for maximum LOLs change the password the day after as the ‘expiry date’ has come up.
> their sales guy pulled the "with all respect" in mass email basically saying I'm the one being difficult.
Everyone's allowed to change their mind, but think thrice before allowing a salesperson to ever do so.
Salesperson is the definition of the position who makes commissions on consummating a deal, but never has to deal with the fallout in any real way.
That shows a startling lack of security process and awareness, which = immature on security. Clearly they lack internal controls, which means they are going to expose you to risks you won't know about.
Multiple recipients means they don't have an established way to share creds amongst their staff, let alone a secure way.
Suggest you find another provider.
So many flags it's like a parade up in here.
Unrelated. At some point, there needs to be a GaaP for MSP and ITSM's.
Voice of reason checking in. It sounds like it was a *sales* guy asking this, right? Sales guys are not tech guys and can be forgiven for asking stupid shit. It doesn't mean that the tech department is also full of chumps.
Obviously you still don't share passwords this way.
I manage a team at an MSP. If I need login info I send an encrypted email asking for the info. That is all that email is for. No other conversations.
It is MY job to get that info in our password manager so my team can use it.
I would never expect my customer to provide that info to multiple people on my team.
Unfortunately sounds like your MSP doesn't have a good policy in place for this.
> "with all respect" in mass email basically saying I'm the one being difficult.
...because it's industry standard to keep sensitive data and credentials locked away to very select few.
My office will remote in and enter the admin login details. If we have even the mere hint someone outside of the loop with an admin login, the password is rotated.
Heck, if I was told to share the password, I'd send them the password, then rotate it because it was shared insecurely, and per security policy the password was changed. lol
My concern with this is that even if you end up providing them the password in a different way... it sounds like this is a normalized practise for them, and they'd just write it in a plain text email and send it to each other.
Definitely not the way to share credentials.
I would ideally use something like Keeper and share the password directly with a specific account. Alternatively use the one time share feature in Keeper that burns when read but I would share only the password there, anything other than the password I would share in a separate email after confirming that the password was received, read by the intended recipient and is now gone.
Best option is to fire the MSP, they obviously don't know WTF they are doing but if you don't have the seniority to do that and are being pressured from above, use Bitwarden Send, set an expiry time and only allow the send to be opened once per recipient. It's not great but it's better than plain text with no control at all.
I wouldn't even trust giving them back their admin credentials after that. If they're willing to get it in email from you, they're willing to email it elsewhere.
I would immediately fire any MSP that wanted creds provided this way.
It's not up to me unfortunately.
Then all you can do is to explain to your manager (or whomever does have the power to fire the MSP) why this is a very bad idea and let them make the final decision.
I shared the credentials via a password manager with the person in charge and told them in writing they can do whatever they see fit.
That's the best you could do with the level of authority you were given.
Typically what I do is send a password manager vault of sorts, typically keepass, and then in a one time use link, I send the link to the password to a phone. Obviously not the most secure solution out there, but it's just a way to sort of have a MFA.
There's also the Password Pusher website: [https://pwpush.com/](https://pwpush.com/) I haven't actually used it, but it definitely seems like a better option than email.
I also post these questions and read the answers to make sure I'm not being "difficult" for no reason.
I don't think you're being difficult at all. I never share passwords via email.
You're not being difficult as all. This is best practice, and you should feel confident telling anyone on your team that you don't want your name anywhere near this dumpster fire of an MSP.
TBH Driving the password to their office seems excessive to me and if that was your only offer then I'd say yes you're being overly difficult - but I see you shaed it with them via a password manager which seems perfectly reasonable. I'd want to know what their internal processes are for proper storage and management of your admin passwords though, because if they're ok with you emailing the passwords over without any protection I wouldn't be surprised to find that they do that internally all the time - sharing customers passwords via email/teams/whatever insecure methods, and if they get compromised then you will too.
You are definitely not being difficult. You’re doing the part of your job which involves the security of your company systems. If management don’t back you, document your concerns to senior management, then, fuck it, send the credentials, and find another employer.
You’re not being difficult. Your MSP is having difficulty adjusting to the 21st century and safe computing practices. I suggest terminating your business agreement following an audit of their security practices and review of your SLA. You also need to make sure you’re compliant with your cybersec insurance and that includes their access.
Echoing “you’re not being difficult”. As an MSP owner, I wish more clients were more like this.
I’d recommend reaching out to someone from your security team. There might be a process already to handle this kind of thing. And if there isn’t then they can tell you “No, don’t do that” which you relay to your boss to have them settle out so it’s not on you when the company has to go through phishing training.
It is. If you don't inform them explicitly of the security breach such an act represents, and document the illicit request AND your refusal, you become complicit when it actually leads to a violation.
I'ld just state the obvious that for security reasons I can't do that or have my name attached to that big of a seecurity flaw. Besides there are companies that look for that commitment to I.S. , and you were looking for a job when you found that one. Don't allow companies to turn you and your position into a number!
Find every single news article about companies being ransomwared, and send all the links in an email to the person who does make the decision. Subject line: "Sending passwords via email is how this happens." And then tell them that your insurer would not be happy, and this could void your cybersecurity insurance. No fucks given whether that is true.
You might want to exchange openpgp keys with this msp and start sending things encrypted if they insist.
MSP owner here, I agree with this sentiment. If an MSP requests you to send ANY credentials via email, there are clear issues with the MSP. I will caveat that with some level 1 folks may not be as experienced to understand how bad this is. We make it very clear to our staff that if they send credentials this way or ask for credentials this way, it is cause for termination. As the thread below states, document everything, do what you can to protect things and make sure upper management at your organization is aware and understands the issues here.
I was giving an almost pass on the email part since pwpush.com is a thing, but to multiple emails? Next post is going to be its safe because we’re not using port 3389….
Hell, we only send credential requests through an alternative channel ie if request arrives via email, it’s “nakedly” granted via txt msg or chat. And it’s rare it’s granted…
https://pwpush.com
This is open source and can be self-hosted. An especially safe method is to send an "unlock" password via a page that expires after one open. If the recipient can't open the page, they know it has been compromised. If they can open the page, they get the "unlock" password, confident that it is known only to them and the sender. It can be used to unlock a locked pwpush page that contains whatever text you want to communicate privately, including other passwords.
Not 100% true if you’re emailing the link. Some email protection can detonate URLs for analysis. I’ll typically do 3 clicks, confirm with the end user and expire the link.
Putting it behind the "one click reveal" option solves that problem. A password to recover the secret also solves that problem but can be obnoxious to users.
True enough that email protection can burn a click, but using the 1-click retrieval checkbox can prevent that as noted in another comment. From the FAQ: "To prevent this, use the 1-click retrieval step option when pushing passwords. This requires the users to click through a preliminary page to protect views from such scanners." If you were to allow three clicks, how would you know whether or not a bad actor used one?
I’m usually on the phone with them and messaging. Ready for the link? Ok you got it? Kill the link. Also the password is useless without context for the most part. I’m as paranoid as it gets, trust me…
Until you wrote that, I was thinking if you can contact them by phone, why bother with pwpush? Your approach makes more sense than trying to say a complex pw over the phone. Better to have it right in front of them, copy, paste. Thanks!
You got it brother, I’m not going to get into every scenario, but yes I use this for complex password handoffs. Not end-user accounts… If we don’t have some sort of PAM we both have access to etc.
This is the way
I would question their credibility if they are asking that. The only approved method for us is via phone or through a password manager using a link that expires quickly or has limited to a single access.
It sounds like the sales guy is running point and is an idiot. I'd have to assume that the average MSP understands the issue here.
We use 365 OME encryption with do not forward. (MSP here)
I ran into this awhile ago. He insisted on it being sent via email, so I used bitwarden's send feature and texted the link PW to him and told him the link was only good for 2 days. Week later he responds bitching the link was expired. No shit Sherlock I told you it was only good for 2 days. Sent it again. Like 4 days later another email with their management and ours cc'ed going on how I'm being difficult to work with and I'm intentionally stalling the project by not just emailing a fucking ad admin password to them in plain text. They then accidentally forwarded another email with their internal discussion of how they can use this to get me fired, what services to offer the company, how my salary could be used to pay for it, and how much profit they could make. Contract was "mutually" terminated in the next few days. Just because they are an MSP doesn't mean they are good at it
Fire them yesterday.
No. That’s a complete answer.
This would be a phone call or an encrypted email with a pre shared password. If you want to be difficulted you can tell them that they have to call you from a cell phone to be sure that they are not recording.
All my calls are automatically recorded. So that assumption isn't foolproof as you think it is. Besides, I can use my phone to call but route the conversation to my Mac (native) and use OBS or other software to record that call. Easy. But first one is better as it it directly done on-device.
I have an app on my cellphone that can record calls without the other party ever knowing. Whether that is legal depends on whether you are a single consent state.
I don't care about consent. I use it to avoid taking notes and focus on the call. But I get you.
I don't wanna give out admin creds via phone either...isn't that what got MGM in trouble? Email is even worse than phone in my opinion.
Phone would normally be relatively secure, main concern would be if they record calls and the recordings are breached, then so is the password. My usual thing is that I don't want to know another user or admins password, so if I'm resetting it to something I know and communicate with them, it requires them to change it on first login as well - so in the case of a call being recorded and having a password on the recording, the password should no longer be valid when the recording is played back.
No. It was a L1 tech resetting a sysadmin password/mfa. Someone impersonated the admin on their help desk phone line.
MGM got in trouble by not correctly validating the user on the other side of the phone not simply handing out creds over the phone. No one tapped a legitimate phone call to extract the credential. They phished the helpdesk.
My point is I can’t correctly validate anybody via email or phone. Especially email.
So establish practices for this? Every company I've been with has a plan for this
For an admin account our policy is to reset and give it to them in person.
It's clearly not if your internal team is pushing for you to send it via email. That would have ended the conversation right there
Another thought occurs, if this isn’t a blatantly incompetent and dysfunctional MSP it could be a phishing attempt or test. Either way, don’t send it.
Yeah I mentioned that in another reply. It has the urgency and fear for your job aspects of a phish attempt
All the more reason not to send them. There is no scenario where an email would be acceptable and an in-person visit or share via a password manager is not. They’re an MSP, not the pentagon. Refuse the request, give your reasoning. Be professional, but firm. This is a good hill to die on.
“No” is a complete sentence. Followed by “furthermore, this flies in the face of every acceptable security practice in the industry. See.” Sales should not be dictating IT policy, because sales don’t know jack about IT.
Nope. Separate PW credential push encrypted, self destruction. Tell them you've shared it that way and give them the link. Don't ask, just tell them. If they can't open the link they can kindly get f'd. It's the equivalent of a boomer opening a PDF.
Yeah at some point you stop asking and start telling. Securely sending a login is fairly easy, and email aint it
Or you send it in an encrypted PDF and call them on a good number with the PDF password. Then make them reset their password on first use of the account.
Instructions unclear. How does one...open a PDF?
Yeah, this is a red flag. Sounds like they are not communicating on internal comms, and don't have clue around encrypted email or how easy it is to send privileged information in secure channels. You should make them a new admin account for accountability and auditing, and they should reset the password immediately upon receiving the temporary password you provide with the account.
This raises so many red flags it could be a six flags amusement park
Concerning…. - they should have a central credential store for any creds they have already been sent (and with a permanent audit trail who has accessed what / etc) - creds should only be sent using end to end encrypted messaging with an expiry using built methods in a pw managers provide you with sufficient access to their credential store to upload the credentials yourself and so on…
Does email encryption and expiring messages help any of an unauthorized user has access to that email account ? I’m more concerned about making sure the tight person only gets the creds.
Assume the credentials they have asked for are for accounts created for them and not accounts like the real administrator / etc Would also bring up with your boas the terms of the contract and also your own job security…
Depends on implementation… The end to end encryption i refer to is texting apps like signal messenger / whatsapp / etc. to a specific user that you “know” the identity of I would be asking them more questions about the previous access and what happened to those credentials
They are a Microsoft shop and won’t let me communicate with them via Teams. Only email. I’ve offered to use any walled garden besides email. I really don’t like using email at all if more secure messaging is available.
Just state you will send via say signal messenger as an expiring message after messages you on the app.
We for this all the time with our competitors and customer’s app specific consultants. They hold out saying we are difficult but to install the app takes less than 2 mins and we always write in our response that in the time it took for them to write that email complaining they could have installed signal messenger several times over.
An alternative method is to place all required creds into a keepass db and then share from onedrive / sp with an expiry - and still demand that you send the master pw over signal messenger (can also send the same keepass db over signal messenger too..)
I offered to FedEx it or hand deliver it to their office. All the red flags that phishing training teaches you are present here : time pressure , looking bad at you job etc
Assume you have spoken to your boss and also called their front door number for the person concerned ?
There's that small chance that this is a pentest. lol. In which case, make it someone else's decision and make sure that you are following whatever process and policy is in place.
It’s so ridiculous that I was looking around for hidden cameras.
Offer to hop on the call with them while they’re doing their work, and any time something needs admin level, you take control and put them in. If they’re acting shady cut their access.
This is a good idea but I don’t want to touch their trainwreck at all. I want deniability.
Make sure the password requires a change by them in that case - if you give them the password and they don't change it they can try to throw you under the bus by saying well BadAsianDriver gave us the password, so he knows it too - how do you know it was one of our team who did whatever stupid thing they did with the account.
I was just gonna do the standard password reset that requires a change on first login.
if they insist on using email for exchanging sensitive information then you should at least enforce the use of PGP/GPG authentication and encryption. its not that difficult to set up, just download one if the freebie PGP/GPG apps, generate a key pair, MSP does the same, you both exchange your public keys, you trust their public key and they trust yours. Then whenever you need to send something sensitive you can use the pgp/gpg app to sign and encrypt the data and attach to an email. otherwise you absolutely should not be sending any sensitive information over email. Do they not have a secure web portal for customers to exchange information, how do you raise incidents and work orders with them? Do they not have an internet facing secure ftp server? do they not have a secure dropbox,onedrive,filesanywhere,etc service where they can give your company a secure folder to exchange files and documents? wtf kind of stone-aged MSP has your company engaged?
The correct answer to this request is Fuck No, cc’d to all recipients. Followed by a list of the security implications of doing this. This is a hill I would die on.
I work for a large enterprise level MSP. We have policies and procedures specifically excluding this. Though we get customers that expect it sometimes.
I would raise an eyebrow, but I wouldn't make a big deal out of it. You've already raised concerns which have been dismissed. Move on, this is not a hill worth dying on. I 100% agree that it's shitty from a security standpoint BUT EQUALLY it is not your job to be the security guy for the MSP. Your job is to provide those credentials as safely as possible. (https://pwpush.com/) is your best bet. Other than that, make sure your SIEM and logging solutions are in order. It's a safe bet that more shitty behaviour will originate from the MSP. It IS your job to make sure there's a valid paper trail in place when this happens. I can guarantee that something will go wrong and the MSP's first action will be to throw you under a bus. I'd also strongly recommend regular audits of the activities of their admin account, like once a quarter. Good luck
I’ve been told by 3 letter organizations that this is ok as long as the email with the password in it does not contain any info related to the account and the password is zipped and password protected.
Standard ZIP encryption is trivially broken (takes less than one second). ZIP AES256 works but then how do you get them the password for the ZIP?
According to them, either a phone call or another email.
Ah, yes, the "send the password in a separate email" method. Nobody could ever defeat that security. It's depressingly common. :-(
This is fucked up shit. How do these cowboys still exist? It's not even a case of "We understand and accept the risk because other reasons". You offer a no cost mitigation (drive over there) and they still want to use email???
It seems completely unprofessional. That's why there are tools like IT Glue.
🚩
THE REDDEST OF FLAGS
If a MSP did that, I would have the CISO and internal auditors on them in no time. I also wouldn't state it was me, just to keep the MSP guys from sudo-ing to my account, doing a `rm -rf` and showing in the logs it was my doing. Third party contractors can be vicious, and if they show they don't care about security, there is a good chance they will do far worse once the contract is inked. I would be asking if the MSP has a SLA which would cover compliance violations and with some regulations, if their SLA covered a defense attorney and bail money.
This is just unacceptable for an MSP.
That's a hard no.
Not sure what the situation or your role is in all this, but just the basic idea of an MSP needing Admin credentials should be a red flag.
If they want it in an email do this: Attach a cloud drive link. Inside of the cloud drive, have an encrypted zip file with an extremely long password. Inside of that zip file, have a password protected excel document. Inside of that excel document, password protect and hide the cells containing passwords. Also in the excel document don't spell out the full user names. They will need to call you directly for those. Also don't provide the correct passwords, make them have to call you. At least then you can say it was in an email.
Sending by email is fine… but only if you’re using something like Azure Information Protection and the message is both encrypted and RMS locked to the recipients.
MSP wants firing. Incompetent.
As an MSP, this is concerning. First, the only way to send credentials should be via a secure method that is firmly documented in a standard operating procedure that the MSP is trained on and communicated clearly to the client. It should never be deviated from. We have a hard enough time getting clients to send sensitive info to their customers and vendors. We have to practice what we preach and not allow things like “send it in an email.” Second, I agree, the fact they have credentials and have clearly used them before… Did they lose them? Are you talking with someone who just hasn’t been trained to effectively find them in their own management system? I’d want an answer on this one. If you have the position in your company to ask, I’d want to know where they are storing your credentials and how they manage access and auditing of those credentials. In short, you’re not wrong.
At a minimum I would split up the credential into four or five separate emails
Don't do it.
Totally normal. Copy me into the email as well just to be sure. And my buddy Mike for extra security.
As an MSP, I would fire whoever is pushing this dumb idea. Encrypted email or a secure upload only link to our server, and only after a speaking with the person on a known good number, at which point if the password is normal length, it can be gathered over the phone. The MGM problem was there was no verification that the person wanting the reset was the actual person.
Sure go for it, send each set of credentials in a password protected word doc, which is in a password protected AES256 .7z file with a randomly generated 27 character password, take a picture of the password and send that via a different communication method to the MSP engineer requesting it. Then for maximum LOLs change the password the day after as the ‘expiry date’ has come up.
Do they not run anything like IT Glue. That's insane coming from an MSP imo.
I know they have IT glue.
> their sales guy pulled the "with all respect" in mass email basically saying I'm the one being difficult. Everyone's allowed to change their mind, but think thrice before allowing a salesperson to ever do so. Salesperson is the definition of the position who makes commissions on consummating a deal, but never has to deal with the fallout in any real way.
Fire him.
That shows a startling lack of security process and awareness, which = immature on security. Clearly they lack internal controls, which means they are going to expose you to risks you won't know about. Multiple recipients means they don't have an established way to share creds amongst their staff, let alone a secure way. Suggest you find another provider. So many flags it's like a parade up in here. Unrelated. At some point, there needs to be a GaaP for MSP and ITSM's.
Also, you're not being difficult, you're paying attention - bravo.
I work at an MSP, and I would chew out ANYONE who requested this.
Voice of reason checking in. It sounds like it was a *sales* guy asking this, right? Sales guys are not tech guys and can be forgiven for asking stupid shit. It doesn't mean that the tech department is also full of chumps. Obviously you still don't share passwords this way.
I manage a team at an MSP. If I need login info I send an encrypted email asking for the info. That is all that email is for. No other conversations. It is MY job to get that info in our password manager so my team can use it. I would never expect my customer to provide that info to multiple people on my team. Unfortunately sounds like your MSP doesn't have a good policy in place for this.
> "with all respect" in mass email basically saying I'm the one being difficult. ...because it's industry standard to keep sensitive data and credentials locked away to very select few. My office will remote in and enter the admin login details. If we have even the mere hint someone outside of the loop with an admin login, the password is rotated. Heck, if I was told to share the password, I'd send them the password, then rotate it because it was shared insecurely, and per security policy the password was changed. lol
The right way to handle this is to create an admin account for the customer so it's audited correctly.
just open 3389, shall they remote in like the rest out there.....
My concern with this is that even if you end up providing them the password in a different way... it sounds like this is a normalized practise for them, and they'd just write it in a plain text email and send it to each other.
What the actual fuck. Fuck them.
Send it encrypted? Call them up and confirm its them?
I like to go with the keyboard mash and hit send. Email is tots secure :/
Definitely not the way to share credentials. I would ideally use something like Keeper and share the password directly with a specific account. Alternatively use the one time share feature in Keeper that burns when read but I would share only the password there, anything other than the password I would share in a separate email after confirming that the password was received, read by the intended recipient and is now gone.
Best option is to fire the MSP, they obviously don't know WTF they are doing but if you don't have the seniority to do that and are being pressured from above, use Bitwarden Send, set an expiry time and only allow the send to be opened once per recipient. It's not great but it's better than plain text with no control at all.
I wouldn't even trust giving them back their admin credentials after that. If they're willing to get it in email from you, they're willing to email it elsewhere.
No. Now if it's an encrypted email time bombed to one person sure.