Michael

Just throwing this out there: For my free lancing I often need to share passwords or other secrets with clients. (Or they with me.)

I usually suggest Signal for that, but obviously most people don't have that.

Is there a a good (and not too pricey - I only do very few free lance projects, so only need it once every few months) password sharing option for this?

I tried 1Password shared vaults, but even that is just too complex for many of my clients.

Open to self hosted ideas, as I have a server I could install this on.

Ideally a very simple thing where both my clients can securely input passwords to share with me without having to create an account (secret link and OTP, or something like that) and I can share links with clients.

Any thoughts?

#SecretManager #Infosec #freelance #selfhost #passwords #pasword

Aug 15, 2023 at 7:15amWeb
Show threadMichaelAug 15, 2023

Thanks for all the comments everyone!

I have decided to go for a self hosted instance of https://pwpush.com

Setup was very simple, and I can brand it, and i think it fits the bill perfectly 👍

Securely Send a Password | Password Pusher

Password Pusher is an application to securely send passwords over the web. Links to passwords expire after a certain number of views and/or time has passed.

Show threadmorphAug 15, 2023
@michael I can't imagine e2e encryption without the client installing an application on their device. 🤔
Show threadMichaelAug 15, 2023
@morph true. But with HTTPS and self hosted, the risk will be very low.
Show threadmorphAug 15, 2023
@michael Simple to use would be an encrypted Nextcloud storage on your side. You give the clients access to a file (like etherpad) where they and you paste the needed information. They'd have to unlock it though. But they can do it in the browser.
Show threadFrank VerhoevenAug 15, 2023
@michael Sending the first half of the pass phrase over whatsapp or whatever, the second half over SMS?
Show threadMatt LehrerAug 15, 2023
@michael is a cli tool like wormhole too complex? https://github.com/magic-wormhole/magic-wormhole
GitHub - magic-wormhole/magic-wormhole: get things from one computer to another, safely

get things from one computer to another, safely. Contribute to magic-wormhole/magic-wormhole development by creating an account on GitHub.

GitHub
Show threadMichaelAug 15, 2023
@mattlehrer yes, i think so
Show threadEndarethAug 15, 2023
@michael https://onetimesecret.com/ can be useful. Single use, time limited link.
Onetime Secret

Keep sensitive information out of your chat logs and email. Share a secret link that is available only one time.

Show threadMichaelAug 15, 2023
@endareth thanks! seems similar to pwpush.com, suggested by someone else.
Show threadSteve BAug 15, 2023
@michael I just have them email the details exc. the password. Then they text me the password.
Show threadMichaelAug 15, 2023

@Steveb yeah, that’s what I’ve done so far.

I don’t particularly like it though…

Show threadSteve BAug 15, 2023

@michael Seems the most secure method to me. No third party has all the info.

Remember, all those other systems... They're secure, until their hacked.

Show threadMichaelAug 15, 2023
@Steveb true of email and text message as well though (both being notoriously insecure)
Show threadSteve BAug 15, 2023

@michael But they are separate. That's the point.

Someone has to get the data from both mediums to gain access.

Show threadMichaelAug 15, 2023
@Steveb yea, I know. The idea would still be for them to be separate: email me the username, the use the service to send the password, for example.
Show threadSteve BAug 15, 2023
@michael Fair enough. Was just trying to give a free option that (IMO) works, and is as secure as anything else out there.
Show threadMichaelAug 15, 2023
@Steveb fair enough. and i think it's a valid approach. I was just trying to explain why I'm moving way from it 👍
Show threadJesterAug 15, 2023

@michael Probably not a perfect solution but you could create an account with Protonmail and utilize their password protected feature. You would need to set up some sort of password with them and communicate that (maybe using 1Passwords sharing feature) but once they have that they can log in and reply to your email in a secure way that only you and they can access to share details. It can also be set to auto delete after a period of time to help ensure the data is not hanging around. They just need some sort of email account of their own.

https://proton.me/support/password-protected-emails

How to send Password-protected Emails in Proton Mail | Proton

Proton Mail lets you easily send secure, end-to-end encrypted emails to non-Proton Mail email addresses using a password.

Proton
Show threadPanopticolaAug 15, 2023
@michael A good old phone call works best with technology limitations! Verbal transcription can be problematic with some clients, though, so obscurity as weak fallback security can work if you, say, conduct key context discussions in one format, e.g. email, and pass along the secret out of context, say SMS.
Show threadMichaelAug 15, 2023
@Panopticola a phone call would work with weak passwords. But a random 32 character alphanumeric string with special characters? No thanks 😬
Show threadPanopticolaAug 15, 2023

@michael True! And I mentioned that.

However if you are blessed with the luxury of 32 characters, you can easily sacrifice a few billion years of your nearly infinite cracking time to make it human friendly and memorable instead of fully randomized. When you have 32 characters, you may as well use a complete sentence with some minor munging, as a password that does not need to be written down eliminates one vector of insecurity.