what's a secure way to send passwords over the internet?

Solution 1:

PGP or another asymmetric encryption method would sound like the way to go ..

  1. both sides must publish his/her public key
  2. sign your message with your own private key
  3. encrypt with the other's public key
  4. transmit the file
  5. only the other's private key can decrypt the message
  6. your public key can be used to validate the message

=> secure & private

Solution 2:

Any mechanism that uses asymmetric keys (like SSL or PGP) is good. Basically, it means that you encrypt the data (password in your case) with other person's public key, and the only way to decrypt it is to have access to the private key (which only receiver does).

The only thing to worry about PGP is who do you trust, because spoofing can easily happen when people sign their own keys.

Read the web of trust section in the wikipedia entry for PGP for more info about that.


Solution 3:

What about calling the recipient with Skype?


Solution 4:

You should also make sure the receiver has to change the password before being able to use whatever service it's for - authenticating the change with the sent one-time-password. This will provide further protection against theft - and/or slightly better chances at discovering one if it required the thief to change it, leaving the true user with an access denied prompt ^^