Secure Password Delivery to User Servers

TL;DR

Don’t send passwords directly! Use a secure token-based system with one-time use, strong encryption, and proper key management. This guide explains how.

How to Securely Send Passwords from an Application to a User Operated Server

1. Understand the Risks: Sending passwords in plain text (even over HTTPS) is extremely dangerous. They can be intercepted or logged. Storing them on either side, even temporarily, increases risk.
   • Man-in-the-Middle Attacks: An attacker could intercept communication.
   • Server Compromise: If your server (or the user’s) is hacked, passwords are exposed.
   • Logging Issues: Passwords might accidentally end up in logs.
2. Avoid Password Transmission Altogether (Best Option): Encourage users to set their own passwords directly on their server.
   • Provide clear instructions for password creation and management.
   • Offer strong password generation tools within the application.
3. If Password Transmission is Absolutely Necessary: Use a Token-Based System

   This involves generating a unique, short-lived token that allows the user to retrieve their password (or set a new one) on their server.

   • Token Generation: Your application generates a random, cryptographically secure token.
   • Secure Transmission of Token: Send this token to the user via a secure channel (e.g., email with strong encryption like PGP or through a trusted in-app notification system). Never send the password itself!
   • Server-Side Redemption: The user presents the token to their server.
     • The server verifies the token’s validity (see step 4).
     • Upon successful verification, the server allows the user to set a new password or retrieve an existing one.
4. Token Security Details:
   • Randomness: Use a strong random number generator (RNG) for token creation.

     import secrets
     token = secrets.token_hex(16)
     

   • Expiration: Tokens should have a very short lifespan (e.g., 5-10 minutes).
   • One-Time Use: Once a token is used, it must be invalidated immediately.
   • Database Storage: Store tokens securely in your database, along with their expiration timestamps and usage status.

     # Example SQL table structure:
     CREATE TABLE password_tokens (
       token VARCHAR(255) PRIMARY KEY,
       user_id INT NOT NULL,
       expiration_time DATETIME NOT NULL,
       used BOOLEAN DEFAULT FALSE
     );
     

5. Encryption (If you must temporarily store the password): If, for some reason, you need to briefly store a password on your server before it’s used by the user, encrypt it using a strong encryption algorithm.
   • Algorithm: Use AES-256 or similar robust algorithms.
   • Key Management: This is critical! The encryption key must be stored securely and rotated regularly. Do not hardcode keys into your application. Consider using a Hardware Security Module (HSM) or a dedicated key management service.

     from cryptography.fernet import Fernet
     key = Fernet.generate_key()
     f = Fernet(key)
     token = f.encrypt(b"my password")
     decrypted_password = f.decrypt(token).decode()
     

6. HTTPS is Essential: Always use HTTPS for all communication between the application and the user’s browser, and between your server and any external services.
7. Regular Security Audits: Conduct regular security audits of your code and infrastructure to identify and address potential vulnerabilities.