How can clients easily and securely send me passwords?
PGP is popular.
You can also try the tried and true method of a meeting at a pond, preferably with both of you wearing trench coats.
Your idea of a web-based messaging system could be implemented in a few dozen lines of HTML and PHP (mostly html) on any system that had an SSL web server and GPG installed. It’s really just a very simple but specialised formmail type program. You could even hack an existing formmail CGI script to insert a call to GPG (assuming one doesn’t already exist, try Googling for formmail + GPG)
- If you haven’t already done so, install gpg on your workstation and create your public & private keys
- Create a php page that displays a form to accept a message (text field), encrypts it with gpg using your public key, and emails it to you. Hard-code your email address in the script (i.E don’t allow the sender to specify who to send to)
- Install the php page on an existing ssl server or create one just for the task. A self-signed cert is good enough for this job.
- Tell your client the url when you need them to send you a login and password.
Btw, thunderbird has the Enigmail plugin which makes using GPG encryption very easy. But it’s still probably too much trouble for casual users.
This is a combination between a text file and a phone call:
Have your client put password in a plain text file, and then drop the text file into a password-protected zip file. (7zip is free and open-source). Have them email the encrypted .zip/.rar/.7z file to you and then call with their username and the password for the zip file.
This prevents anyone from opening the zip file, and even if they did, it's only a password, which doesn't give you anything without any other information, like username and where to use it.
Additionally, this is a way to email a "forbidden" file type, like a .exe, to an email client that scans attachments and inside zips. In those cases, I usually just include the password for the zipped file in the email, and it's usually "password". It's enough to stop email software from checking the contents, though.