Thursday, February 25, 2016

Sending Passwords Via Emails

Request for a new login or reset the password for existing login is one of very frequent tickets that we regularly come across as DBAs. And I see lot DBA send passwords in the emails without setting the right information classification, Which we should avoid.  That is a bad practice, as an DBA learn/ask the company standards/protocols on how to send passwords to User or requester. 

I sometime break the protocol (because of the amount of work we do ;) ) and one day I was reminded by my lead to follow the Security Protocol very politely. He send an email to me as "Please do not send App IDs and Passwords in the same email." Then I realized and reset the password and send it to the recipient  as per the company standard. 

The standard that we follow is:

1. Login IDs and password should be in separate emails.
2. Emails for password should be marked Confidential.
3. Emails of Passwords should use “To” line only, not CC or BCC line.
4. Emails of Passwords should never use Group email Ids as recipients. 
5. Recipient should be individual email Ids only.

or alternately,

1. Put the Login Id and Password in a document (word, excel, pdf etc.).  
2. Encrypt the document with a password.
3. Send the document (marked confidential) to recipient only in an email. 
4. Send the password to the document via separate email (marked confidential) to recipient           only. and follow above steps 2 to 5. 

This will procedure will work in any company as best practice to share passwords to others, but anyhow try to find what is your company protocol/standard as well. 

Below are the sample Email classifications and Sensitivity type that are in use for different companies. 

Sample 1:










Sample 2:

Sample 3:


















Thanks- I hope it will help. 

No comments:

Post a Comment