How should you send sensitive data like passwords?
- Putting them in an email and praying that nobody finds it is very much not the best way to do it.
- Encrypting your email with PGP is secure (and recommended), but most people don’t have the technical knowhow to set that up and use it properly.
- Texting is a little better than email, but still could be hacked.
- Encrypted texting with an app like Signal is better, IF both you and the recipient use Signal.
- Sharing them through your password manager (LastPass, KeePass, etc) is good, IF both you and the recipient use the same password manager.
- A phone call can be inconvenient.
We’ve recently started using one of several services (that we are currently aware of) which generate a random web address which you send to the recipient. The notes are encrypted using a key that is never stored on the server. Only the valid URL can display the notes – it is the key. The resulting web page can only be opened and viewed a specific number of times or for a specific duration, then the data is wiped forever from the server. (Or at least that’s what the operators of the services tell us. We have no way of verifying that they actually do …or don’t.)
https://1ty.me/ – one time read; you can set it to notify you by email when it has been read.
https://privnote.com/ – can notify you when opened, allows you to set a password for reading the page, allows either automatic expiration (1 hr to 30 days) OR deletion on first reading.
https://onetimesecret.com/ – allows you to set a password for reading the page, allows you to set an automatic expiration (5 min to 7 days), and allows you to delete the data before it has been read.
https://safenote.co/– allows you to set a password for reading the page, allows you to set an automatic expiration (1 hr to 14 days) OR deletion after it has been read a specific number of times (not both, but if you set 3 times and it’s only read twice it will still be auto-destroyed after 14 days), and allows you to delete the data before it has been read.