Re: secure password communication

[dan.crowley () gmail com]

I actually just spent some time thinking about this problem and finally submitted the following question to Bruce 
Schneier via email:

Is it ever possible to prevent a man in the middle attack on an untrusted network without any pre-exchanged information?

His answer was "No." He explained with the example of two people meeting in person who have never met or talked to each 
other before. How can they know that the person they meet is actually who they claim to be?

The answer to your problem is one of two things: 1) Use strong cryptography with pre-exchanged keys
2) Use a trusted medium of communication like the postal system

There are still attacks possible on either of these solutions, but they are far less feasible than the alternatives.

Your issue is that you need the communication to be secure, fast, and cost-effective. Sadly, in your current situation, 
something is going to have to give unless you can figure out some pre-exchanged secret that can be used as either 
cryptographic keys for a secure communication, or initial application passwords. Otherwise, you will have to give out 
keys via mail if you want security.

For the future, you may want to consider setting up a public key distribution system for secure communications.