Ever had to give a password to someone? Maybe a new volunteer helps update the website of your club, or you need to give somebody access to the Twitter account of your organization. The easiest way to do this is to send an email address with all the appropriate login information, because it brings the account username and password together in a convenient packet that could possibly be sniffed in transit, displayed on an unlocked Mac, or unintentionally forwarded to the wrong person. Even using Messages, which has a secure transport system, is not ideal because someone other than the receiver may later search through the history of communication and see the credentials for the account.
A simpler way would be to email the username (and any login URLs) and then send the password in Messages separately, without saying that’s what you’re doing. That way, anyone with access to the receiver ‘s device will have more trouble linking the two data bits. But that method is not foolproof and all the necessary login information may still live on in various places that are accessible.
A free Web site I recently ran across, called One-Time Secret, is offering a better solution. The One-Time Key is clear in nature. You enter some secret content such as a password, click a button, and the site returns a link that can be used for retrieving your secret content only once.
Visit its website to use One-Time Password, paste the appropriate password from your password manager into the “Password material goes here” field and click the Build A Secret Link button.
Copy the generated link, and send it to the recipient.
How you choose to do this hinges on the account ‘s importance. In most cases, where hackers are not actively targeting you and the account in question is not protecting sensitive data, it is probably safe to send the username and the password connection in separate email messages so that they can not be easily linked. Send the username via email and the password link via Messages (or vice versa) for greater security. Whatever form you use, follow up with the receiver to ensure they can recover and store the password in their password manager.
The follow-up is important. Because a one-time secret password connection can only be used once, if the user is unable to access it, it is solid proof that someone else has done. When this happens instantly change the password!
Such forms of password passing suffer from one big concern — what if someone intercepts all traffic between you and your receiver? Or worse, has the receiver ‘s computer been compromised so that the attacker could read all the email and text messaging traffic? Unlikely, I realize, but to counter this possibility you can step up the protection at One-Time Secret. In fact, you’ll use another password to secure your account.
To do this, enter a word or phrase in the Passphrase field when creating your password link (make it easy to type, because you will not communicate it as a text). Then call your receiver — by phone, Skype, FaceTime Audio, Google Hangouts, Slack, or whatever — and audibly express the passphrase. Using the One-Time Secret connection you are sending, they will be asked for the passphrase which they could only recognize because it was transmitted in a completely different fashion. For the ultimate in security, you could indirectly communicate the passphrase with information only the two of you would probably understand (“It’s the nickname we ‘re using for the lead developer.”). Yeah, dress up an
The other advantage of using a passphrase is that it is used by One-Time Secret for encrypting the confidential information. One-Time Secret must store the private information before it is retrieved by using a passphrase, providing a 7-day period within which the site can be hacked. Of course, as long as you only send passwords, without usernames or other login information, there would be an incredibly small risk that the password is linked to the correct account. However if you’re concerned about that, just use a passphrase to encrypt your content and directly communicate the passphrase.
Your secrets expire after 7 days when used without an account and can contain a maximum of 25 KB of text. If you sign up for a free account, the expiration period will increase to 14 days, and up to 50 KB of text will be exchanged. Those maximum sizes mean you can use One-Time Secret for messages other than passwords but note that the recipient will still make a copy of the file. The other benefit of signing up for an account is that One-Time Secret will send its links to recipients for you via email, making it look as if the email was coming from you. This isn’t a big win over manually copying and pasting the link, but it might be useful in some situations.
If you give someone a secret and instantly regret it, a Burn It button is given on the confirmation screen that lets you delete your secret so that the receiver following the connection will have no idea what the secret was.
One-Time Secret provides a “Or Generate A Random Password” button for sysadmins who can reset user passwords but don’t want to know the new passwords. It’s intended to simplify the creation and sharing process of a password by making it a single step.
Also, Sysadmins and developers would enjoy the fact that the code of One-Time Secret is open source, so you can install it locally and even have an API and client library. This could be pointless for those who aren’t programmers, but the practical upshot is that those who care about using an Internet service should host it on a secure server, and if there were unpleasant backdoors or other issues with One-Time Secret, someone might have found them by now.
This newsletter app is open source, too and comes with installation instructions on your own server. Although d-note can not produce random passwords for sysadmins, it can create a QR code which you send back to the recipient who scans it to disclose a secret password instead of a QR code. (This article was first published on our site and is now open source and comes with instructions for the installation on your own server.
Last but not least. One-time Hidden issue is uncommon and one-off sharing of passwords with people that I barely know about technically. Sharing passwords more frequently makes it easier for best password managers such as 1Password and LastPass to exchange them as long as everyone has the same software. For an perfect world, 1Password and LastPass will incorporate One-Time Secret or d-note code into future models, too.
I don’t have to explain, however, especially when I exchange passwords with non-technical friends, that I frequently use One-Temporary Secret, as it hammers the need for solid passwords and not insecurely to communicate or store them. Try to share your password the next time you have to!