Secure Password Share
Securely share passwords via encrypted links. Generate a time-limited, burn-after-reading link — recipient decrypts with a key in the URL hash that never reaches the server.
About Secure Password Sharing
Sharing passwords via email, chat, or SMS is a significant security risk. These channels are often unencrypted, persist indefinitely in inboxes and logs, and may be accessible to third parties (employers, email providers, law enforcement). Secure Password Share addresses this by encrypting the secret before storage and destroying it after use.
How it works
- Your secret is encrypted in the browser before being sent to the server — only the encrypted ciphertext is stored.
- The decryption key is embedded in the URL fragment (
#key), which is never sent to the server. Only someone with the full link can decrypt the secret. - The secret is deleted from our servers the moment it is viewed (if "burn after reading" is enabled) or when it expires.
When to use secure sharing
- Sending a password, PIN, or API key to a colleague or client
- Sharing credentials during onboarding that should be changed immediately after first use
- Any sensitive text that should not persist in an email thread or chat history
Limitations
- Once you share the link, anyone who receives it can read the secret. Share it through a secure channel and confirm the recipient is who you intend.
- The "burn after reading" option protects against the secret being read multiple times, but cannot prevent the first recipient from copying and re-sharing the content.
- Links expire automatically — make sure the recipient views the link before it expires.
Frequently asked questions
How is this secure?
Passwords are encrypted client-side with AES-256-GCM. The decryption key is stored in the URL fragment (after #) which is NEVER sent to the server. Only the encrypted data goes to the server.
How does "burn after reading" work?
When enabled, the link is permanently deleted the moment it's viewed — even if it hasn't reached its expiry time. The password can only be retrieved once.
Can the server see my password?
No. The server only stores encrypted data. The encryption key exists only in the URL fragment (after #), which browsers never send to the server.
What happens if the link expires?
After the expiry time, the encrypted data is automatically deleted from the server. Without the server data, the encrypted link becomes useless.