
Ask HN: What do you use for passwords on encrypted attachments - mtbkrdave
Yes, yes, there are plenty of more-secure ways of getting files from point A to point B today, but once in a while a curmudgeonly vendor or someone&#x27;s misguidedly-heavy-handed policy push us into having to send a sensitive attachment by email.<p>So, you zip it up with a password or generate an encrypted PDF - but what to use for the password? Absent a side channel to send the password through, you have to use some shared bit of knowledge. Same applies for sending a secure ProtonMail message to a non-PM address.<p>Most recently I used the message ID of the first message in a separate email thread with the same recipient - but there&#x27;s no guarantee he still has that message or would have any clue how to get at the headers and track down the ID. I&#x27;ve used invoice numbers plus total dollar amounts on most-recent bills in the past, or strings from design files sent in cleartext previously.<p>Of course there&#x27;s always a phone call and a sufficiently-simplistic password.<p>What&#x27;s your favorite means of conveying a file password alongside the file?
======
ziddoap
If I have to send it this way, any out-of-band communication is generally fine
with me although I do prefer phone (out-of-band verification and no
transmission over net).

Assuming your no side-channel requirement means no phone call available, I'd
probably send with PGP. If its a pushy vendor, I'll be pushy back
(company/position allows me to be pushy, ymmv). Worst case would be resorting
to something like: "Password is the invoice number from XX/YY date and the
first item code on the invoice" or something sufficently complex.

------
krrrh
[https://onetimesecret.com/](https://onetimesecret.com/)

