1

What security is gained from this procedure? What does this procedure accomplish? Many professionals do this, like government officials and lawyers.

First, they email me the attachment (e.g. PDF, Word file, Excel spreadsheet). And they write "Please see the password in the separate subsequent email."

They email me a 2nd time within 5 minutes, with the alphanumeric password that usually has < 10 digits.

How can this procedure possibly thwart a hacker or intelligence agency? After hacking into my email, a competent spy shall see both emails, and simply enter the password (in the 2nd email) into the attachment (in the 1st email)! Isn't this blindingly obvious?

  • While I like, that you accept my answer, it is good etiquette around here to wait 24h before accepting an answer, to give all folk from different time zones an equal chance to answer. I suggest, you at least temporarily unaccept my answer. – Marcel May 06 '22 at 08:16
  • Sending one mail with the password protected file and one with the password is a good way to prevent automatic mail scanners from accessing the content... Besides that I don't see any advantage. – Robert May 06 '22 at 11:38

1 Answers1

0

I guess the idea is to make it just a little harder for the adversaries, circumventing automatic tools that just try every word in the first email to decrypt the attachment automatically.

It's very unfortunate, since, also in my experience, many companies lack of a reliable second channel to the recipient to transfer the password.

So, it's just some kind of "Best Effort", given the environment.

Marcel
  • 4,094
  • 1
  • 21
  • 40
  • One place I worked at used to send sensitive Excel files to outside service provider in encrypted Zip archives, and the password in a second email (subject line "Password for xxxx.zip"). I asked the same question, and was told 'Just do it, then you won't be blamed if there's a breach'. After high level meetings with the provider, a new scheme was invented: the provider sent us a list of 12 monthly passwords (e.g. !?eqz19@bJan, !?eqz19@bFeb,!?eqz19@bMar and so on), and we just sent the archives with a note 'Using the password'. – Michael Harvey May 06 '22 at 08:24
  • @MichaelHarvey The good ol' password list. WT*! – Marcel May 06 '22 at 11:44
  • @Marcel: Interestingly, the "share a list of secrets and force attackers to guess which one was used", far from being a WT*, was the conceptual framework used to invent public key cryptography. See Ralph Merkle's groundbreaking paper and later explanation with the advantage of highsight – Ben Voigt May 06 '22 at 18:42