Ask HN: How do you share passwords simply and securely?

Bitwarden is 100% FOSS and was audited by Cure53.

https://github.com/bitwarden

https://cure53.de/pentest-report_bitwarden.pdf

This takes care of the paywall problem, at least.

Alternatively, age (https://age-encryption.org) or Magic Wormhole (https://github.com/warner/magic-wormhole) should be viable choices.

Decades ago, tech-savvy people used to make fun of office workers who would put their passwords on Post-It notes stuck to their computers.

Considering that the world has changed and the vast majority of password security issues today come in through the network, and not the front door, it's amusing to think that pen-and-paper is probably one of the better options these days. After all, if the bad guys have physical access to the computer, there's pretty much nothing you can do to stop them, anyway.

So when I saw people using onetimesecret.com to share sensitive credentials at work (this is a free tool hosted by a third party that IMHO there was no reason to believe is trustworthy) I was a little bit taken aback, because to me this seemed only marginally better than putting the password in an email, and in many ways potentially much worse.

Then I realized, it's open source, and you can host your own instance if you want to trust onetimesecret a bit less:

https://github.com/onetimesecret/onetimesecret

Then I realized (further) there is a fork that has been containerized and prepped for use on OpenShift (and ostensibly Kubernetes upstream, as well?)

I have not set up my own hosted versions of these, but the fact that it's Open Source makes me feel hopeful that it should be trustworthy. And if you want to be lazy and don't run a hosted service, there is always the public version:

https://onetimesecret.com

Finally I realized, you can protect the exploding secret with a password, which I presume encrypts and decrypts in a localized context, in the browser (so data is not stored unsafely on onetimesecret's infrastructure in a way that it could be recovered by an adversary, without the shared secret at least, which granted could still be compromised.)

If it matters to you, you will need to verify all of that for yourself, but I think that all of those details are facts, (at least if I was onetimesecret I wouldn't have published the source unless all those things were true.)

Ryan Huber wrote and open-sourced a single file web app called flashpaper for sharing secrets. Here's a version of it I've deployed - it's public to the internet, anyone can create a secret and share it via a one-time-use link:

https://flashpaper.logsnitch.com

Here's Ryan's code:

https://github.com/rawdigits/go-flashpaper

Weird that it wasn't mention yet, but you should NEVER share passwords between people at work.

Employees should have their own user accounts for every service used, managed by some identity provider.

Anything else is hard to audit, hard to (de-)provision, and it's not secure.

---

This of course doesn't apply for sharing between friends, or with really small businesses, where only a few people share them.

Nobody else on my team wears a tinfoil hat like I do, but I'd be happy with https://www.passwordstore.org/ with the data stored on a private git repo that we can all access.

This is what I use for my own passwords and I'm able to sync them across devices, which is nice.

I'm building Jam (https://jam.link/) to tackle this problem. You can think of it as a consumer password manager built specifically for sharing.

It's fully frontend encrypted, so Jam doesn't know what logins you save and it can't read your secret credentials. The cryptography is based on 1Password's design (https://1password.com/files/1Password-White-Paper.pdf). I'd be happy to share details if people are curious.

Jam's focus on sharing comes through, right now, in the UI and default behavior. For example, when you save a new login, your friends in the system can proactively request access. To visually illustrate that: If I save a new login to Jam (like so https://i.imgur.com/syM2bep.png) then my friend gets a notification about that account, can see what it is (https://i.imgur.com/ZUKwfBB.png) and can request access (https://i.imgur.com/3SCcBm5.png).

It's in private beta right now, it's free to use, and I'm looking for as much feedback as possible. I'm happy to add people from HN right away, just email me at john at jam dot link

https://0bin.net is one of the few services that you can use without logging in + has a client-side encryption key in the URL.

Example paste: https://0bin.net/paste/pfznjakZKHYGZyHS#rSk3vYexHzFn-NPPtfJT...

I use Signal which was verified on different levels as "secure" according to Kevin Mitnick, so that's good enough for me.

I've found that the simplest way to share secrets is through https://sharelock.io/new

Do not expect complete security-- the apparent ease of use comes with a lot of caveats. Ref: https://news.ycombinator.com/item?id=9110146

Then there's the excellent magic-wormhole for the more enterprising amongst us: https://news.ycombinator.com/item?id=14649727

Signal's disappearing messages is probably a better but different alternative to sharelock: https://signal.org/blog/disappearing-messages/

I recommend first Keybase[1] if you can convince others to make an account and install on their systems. If you cannot (a common problem in business I've discovered) then PrivateBin[2] is my next preference. Their .info site explains the project and the .net site is a working example you can try[3].

If "Simply" is very important, go with PrivateBin. Keybase is not hard but it's a bit involved to create an account and manage your keys on multiple devices and such.

If you are at work I recommend setting up your own instance of it. I threw together a simple single-node instance of it that runs in a container (Docker) with systemd supervising. It uses nginx as a proxy and has built-in support for Let's Encrypt (because you are using TLS right?). I open sourced the scripts: https://github.com/FreedomBen/privatebin-setup

If anybody is wanting to setup their own PrivateBin using those scripts and my images, let me know and I will document it better. I just haven't put in the time because until this moment I didn't know if it would actually be useful to anybody.

[1]: https://keybase.io

[2]: https://privatebin.info/

[3]: https://privatebin.net/

Hashicorps Vault has a feature called wrapping, this allows you to share a secret in a way that it can be opened once (with an expiration date as well)

Fundamentally, you should not share passwords

1. If only one person needs a password, they should always create a password themselves. For example, you might hand them a newly provisioned laptop with a temporary password to login. The first thing they should do is change the password.

2. Multiple people using the same password is bad practice. Whenever possible, each person should receive their own user with their own private password if they need long-term access.

That said, sometimes a shared password is a simple practical solution. You could:

- Write it down on paper and hand it to them

- Use a password manager that allows sharing. Several password managers can do this (LastPass, 1Password) but it is a paid feature (inexpensive though at $4/month or less).

- Host a password manager yourself, such as BitWarden. You will need to ensure it's configured correctly and securely, host it somewhere you control/trust, and maintain it.

- Use a secure/anonymous (file) sharing service. I couldn't recommend one myself.

- Use GPG/PGP or similar, to encrypt messages and send them via email.

At my job, we use LastPass with shared folders for certain credentials. At home, I write passwords down to share with my family.

I often had to share passwords to services with students so they could work on a project. We all had shared access to a Google Docs area and a wiki, both password protected. So once a student was allowed access to either of these protected spaces I could use them to transfer a password. I'd type the password in some random document, tell the student to go look at that document, they'd email that they had the password and I'd remove it from the document. Getting the students access to the Google Docs or wiki was a simple process, they could request access to the Docs and my boss would vet and grant it, or a sys admin would add access to the wiki for them. So once you establish one relatively secure channel, you can leverage it for other secure purposes. Probably not highly secure, but we weren't protecting nuclear secrets.

You can do this in many ways. But you should use End-to-End encryption to guarantee security. For example, you might use a secret conversation that uses End-to-End encryption on some software like Signal, Telegram and Conversations. Or you can use encryption software like gpg (see https://gnupg.org/) with public key encryption methods, to encrypt the password (or any message), and then you can send it using literally anything, like email or so on.

And here is a guide on email encryption (https://emailselfdefense.fsf.org/en/).

I think Keybase does a decent job here.

You can invite someone to a team by email, and they need to install the app, pick a username, and follow the join team instructions.

It's probably technically not as easy for a one off situation as onetimesecret.com, but the app download, setup and chat are pretty familiar UI models for many people.

In the long run, it gives you multiple ways of sharing that secret. Encrypt it and stick in the wiki, use an encrypted git repo, exploding messages via team chat, etc.

That being said, a real password manager is the proper tool here. I personally like LastPass, and it does require registration but has "1-to-1" sharing in the free version.

Onetimesecret worked well for me. Can also be self hosted.

Hey all, we built a tool for slack that integrates with Firefox send (open source) that allows you to send passwords securely through slack!

All you need to do is use a simple slash command

`/secure ...` and you'll be able to securely send images, files, or text through slack.

Check it out here: https://slack.securesend.quantfive.org/