Has little or no server side validation? (form prompts for min 1), I shared https://pass.sh/show/2582dbae-5450-4a74-a758-152cdac1c049 with delete after -1 views (simple inspect and edit). It does work to some extent tho as I the link comes up empty. :)
I see how this is seen as useless and non-secure; and there is logic behind it. But also, as the author suggested this may be a better solution rather than sending e-mails or writing passwords onto a text.
Also, since it is open source as the author stated, you can run it yourself on your platform. At least you are going to reduce the number of 3rd parties involved.
Name kind of conflicts with Pass (password-store). https://www.passwordstore.org
This is a neat little application! Would not use it for passwords, but like the idea of temporary snippets of text
Why no Unicode support?
You should definitely checkout Shamir's Secret Sharing.
This looks just like pwpush. Have you seen pwpush.com?
@jc_sec, I see that you commented that you're the author of this tool. I am trying to wrap my head around why you created it, but am having a really difficult time understanding the motivation. Perhaps, it was an educational project for yourself to learn about working with crypto. If that was the case, then I applaud your learning, but encourage you to treat such projects as throw away learning experiences and not publish them. In fact, I think that this tool is actually quite dangerous and it would be irresponsible to leave it available online and encourage its use.
First, users should NEVER share their passwords with anyone. Ever. The entire purpose of this tool is to encourage users to share their passwords, which is the exact opposite behavior that any good security training program should be teaching users. Any reason that someone offers to justify the sharing of a password is simply a shortcoming in a specific piece of software supporting business needs. Ironically, Troy Hunt had an article this week about password sharing, which covers the topic well [1][2]. I won't rehash the argument here, but do please read his post.
Second, the tool offers zero security benefit over sending a password via email.
> It's better than emailing passwords in plaintext
No it is not.
The content entered into the text box is accessible simply by visiting a link, which means that the data is not end to end encrypted. Any email containing the link is equivalent to containing the password because someone simply needs to click on the link to obtain the password. It doesn't matter which cipher you use, which library you use, where you store the keys, etc because the server running the application has the ability to read the plain text content. This tool does not provide end to end encryption, which is required for any reasonable password management tool.
> makes security more accessible to folks who dont have the time/incinlination/technical ability to set up keybase and/or estbalish PKI for sharing secrets.
Again, no it does not. This tool does not offer any security value, so it cannot make security more accessible to users. Users do not need to know how to setup Keybase or PKI in order to use other existing secure tools. For example, users should utilize software specifically built for managing passwords, such as LastPass [3], 1Password [4], Dashlane [5], Keeper [6], or a vetted open source alternative.
I know a thing or two about building end to end encryption systems based on my first hand experience as a Senior Engineer at Virtru [7], a commercially available end to end email encryption solution. I was one of the original employees and helped design the fundamental security architecture, which has been audited by respected independent third parties. You can read more about Virtru's technology on their website [8].
Again, I do not know whether you truly think that this tool is secure, or if you were just trying to educate yourself and develop some new skills working with crypto libraries. Please realize that this feedback is not intended to vilify, but to educate. Please consider taking this tool down and instead promoting a secure alternative to password management to anyone who asks for guidance on sharing passwords.
[1] https://www.troyhunt.com/the-trouble-with-politicians-sharin...
[2] https://www.troyhunt.com/weekly-update-64/
Interesting, but otherwise useless project
Simple, yes.
Secure, not so much.
Saying “I used encryption” doesn’t make it secure; password distribution is a key management problem which is not solved by encryption.
Your secret is stored in a DB you don’t own, and the encryption keys are on a random third party’s servers.
No way to verify anything is actually deleted.
Email filters will visit the links if you send the URL via email, further exposing the password.
Even if sharing a limited-time “reset” password that is forced to be changed immediately there are tons of simpler and more secure options for distribution.
I don’t know what scenarios this is useful for in the real world, but I certainly don’t advise using it for anything even approaching important.