Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me.
I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence:
“Due to GDPR the attached file is password protected, I will send the password in a separate email”
I shit you not.
I checked the sender. They didn't work for my organisation, or any related organisation. We had exchanged emails before, so I suspect email autocomplete had got a bit confused and autofilled "Terence Eden" rather than "Tegan Jovanka" or something.
Two minutes after receiving the email - and before I'd had a chance to inform the sender of their mistake - I received another email.
The password is "03022020" - no quotes
Yup, today's date. Fiendishly difficult to crack...
I'm trying to understand the thought process going on here. I think it's based on some faulty comparison to the regular post service. If someone randomly snatches an email, they are unlikely to also randomly get the password.
But that's not the threat we're facing here. If someone is listening to the network - they'll have both emails. If someone gets access to my inbox - they'll have both emails. If you've sent the email to the wrong person - they'll have both emails.
The only thing this prevents is someone accidentally forwarding a single email.
Sending an encrypted document through email is fine.
But the password should be sent through an independent channel - preferably one you can authenticate.
In this case, here's the process I would recommend:
- Send the document via email
- Call the intended recipient
- Verify you're speaking to the right person
- Confirm that they have received the email
- Tell them the password
Hopefully they'll store it somewhere secure, rather than write it on a Post-It note.
There are alternatives, of course.
- Send a link and have someone sign in with the correct credentials.
- Call the recipient and tell them how to access the document.
- Text them the password
- I'm sure you can think of more.
But, please, whatever you do - think about the threats you are trying to defend against.