Receiving customer passwords over the web

Trojan

I occasionally need to get customer passwords for FTP, email accounts, etc.

I don't want them emailing me stuff in plain text. What's best practice in terms of receiving passwords?

Is a HTTPs secured form with a script writing to a MySQL database good enough? How would you go about creating a locked down environment for customer passwords?

Khannie

Depends how technical your customers are. I have typically exchanged sensitive data with customers or partners via PGP encrypted email. That's technical people exchanging data though.

The form is a bit open to abuse. I would generally not store sensitive data (e.g. unencrypted passwords) in a database that is internet facing. You're asking to get screwed.

edit: encrypted chat client perhaps?

Trojan

Khannie wrote: »

Depends how technical your customers are. I have typically exchanged sensitive data with customers or partners via PGP encrypted email. That's technical people exchanging data though.

The form is a bit open to abuse. I would generally not store sensitive data (e.g. unencrypted passwords) in a database that is internet facing. You're asking to get screwed.

edit: encrypted chat client perhaps?

I did think about encrypted IM, but it really needs to be asynchronous, and preferably a persistent storage mechanism too.

I guess what I really need is asymmetrical encryption, preferably done in PHP (don't start )

Any off-the-shelf solutions/scripts available? I'd prefer not to code it myself.

moc moc a moc

PGP is really the best answer technically, but there's a high chance of PEBCAK errors. Maybe a web form that PGP-encrypts and emails the password to you? Should be easy to knock together in PHP.

uck51js9zml2yt

you could look at encrypting a zip file with 256aes and calling them with the password to unlock it.