Is Skype secure enough to transmit passwords?
Questions I would ask myself before using skype for sending sensitive information:
- Is the encryption truly end-user to end-user or is the data only encrypted between the user and Skype (thereby potentially giving Skype access)?
- How are IM logs managed? Can you be sure that you have 'deleted' the password from the log?
- Even if logs are not being stored to disk directly buy Skype, is the memory Skype uses for this non-pageable? i.e. could the password be placed into a page file without you being aware and hence become retrievable for local users?
Before satisfying these questions my own answer would have to be no.
"A password" is not enough information to determine how it needs to be protected. What resources does the password grant access to, and what level of access?
Skype uses reasonably strong encryption on voice communication--we think. It's closed-source, so what we know comes from documentation and protocol reversing. You can't look at their source code to make sure they're not, say, using a flawed AES implementation that leaks key data.
Even if the protocol is completely secure, it's still operated by Skype Limited, a Luxembourg-based company, and owned by Silver Lake Investments, a Menlo Park-based tech investment firm.
So, to return to the beginning, what are you trying to protect? If it's the nuclear launch codes, over $10k worth of financial data, or Luxembourg state secrets, don't use Skype. If it's a user account on a domain that wouldn't interest a capital investment firm, a small European country, or a crime syndicate with the resources to sniff internet backbone traffic, Skype's probably ok.
Skype sends information among 3rd party client nodes with a closed protocol. It makes no warranties about the security of its connection. I would suggest using something like OTR on top of your instant messaging medium.
Beyond that, the usual, "is there enough risk to warrant concern" rule applies. Maybe it just isn't worth addressing in your case.