Signal security
Signal is the most privacy-respecting mainstream messaging app available. Its encryption is excellent, it collects minimal metadata, and it is the app recommended by security researchers, journalists, and privacy advocates for sensitive communications. For most personal and professional conversations, it is the right choice. But “safe for messaging” and “safe for sharing passwords” are different questions.
End-to-end encryption. Signal developed the Signal Protocol — the encryption standard now used by WhatsApp, iMessage (in part), and Google Messages. Signal messages are encrypted on the sender's device and can only be decrypted on the recipient's device. Signal's servers see only encrypted ciphertext and routing metadata. Signal cannot read your messages.
Minimal metadata collection. Unlike most messaging platforms, Signal collects almost no metadata. Signal cannot tell who you are messaging, when, or how often — only the fact that you have an account. This has been demonstrated in legal proceedings where Signal was subpoenaed and could produce almost nothing.
No cloud backup by default. Signal does not back up message history to iCloud or Google Drive by default. Message history is stored locally on the device only. This eliminates the cloud backup vulnerability that affects WhatsApp and iMessage for most users.
Disappearing messages. Signal offers a disappearing messages feature with configurable timers — from 30 seconds to 4 weeks. When enabled, messages are automatically deleted from both devices after the set time.
Signal stores message history locally on your device and the recipient's device. By default, this history is retained indefinitely — until the user manually deletes it or the device is wiped. If the recipient's device is lost, stolen, or physically accessed by someone else, an unlocked device with Signal open gives access to the full message history — including any credentials you have shared.
Signal's disappearing messages delete on a timer that starts from when the message is sent or delivered — not from when it is read. If you set a timer of 1 hour and the recipient opens the message in 5 minutes, the message deletes 55 minutes later on both devices. This is meaningfully different from a credential that is destroyed the moment it is read. For passwords with high sensitivity, the gap matters.
Signal does not tell you whether the message was opened by the intended recipient or someone with access to their unlocked phone. Read receipts confirm the message was read on the device, not by the person you intended.
Signal has desktop clients for macOS, Windows, and Linux. Many users link their Signal account to a desktop client for convenience. The desktop client retains message history. If a computer is shared, left unlocked, or compromised, the Signal desktop history — including credentials — is accessible.
| Property | Signal (30s timer) | One-time link |
|---|---|---|
| E2E encrypted in transit | ✓ | ✓ |
| No cloud backup | ✓ | ✓ |
| Destroyed when read | ✗ (timer-based) | ✓ (atomic delete) |
| Persists on device | ✓ until timer | ✗ never on device |
| Safe over any channel | ✗ message is credential | ✓ link is safe |
| Works without Signal | ✗ | ✓ any browser |
For many personal and lower-stakes scenarios, Signal with disappearing messages is a reasonable approach: sharing a Wi-Fi password with a family member or housemate, sending a personal account PIN to a trusted partner, sharing a personal streaming password informally. In these cases, the threat model is relatively low and both parties are likely on Signal already.
For a comparison across all major messaging apps, see is it safe to share passwords on WhatsApp, iMessage, Telegram, or Signal?
It is significantly better than most alternatives. But it is timer-based, not read-triggered — the credential persists for 30 seconds after delivery regardless of when the recipient reads it. On a device that is left unlocked, it is accessible for that window. A one-time link is destroyed at the moment of first access, which is a structurally stronger guarantee for credentials.
Signal has demonstrated repeatedly that it cannot produce message content in response to legal requests — it does not have it. What law enforcement can access is the device itself, if they have physical possession and the device is unlocked. Signal provides no protection against physical device access with an unlocked screen.
For most personal use cases, trust in the recipient is the primary concern, and if you trust them completely, Signal is fine. The risk model for credentials is slightly different — the concern is not just the recipient's intentions, but whether the credential survives on their device in a context where it could be exposed later. A compromised device, a shared laptop, a former employee's device that was not properly wiped — these risks exist regardless of whether you trust the person you sent to.
Signal is the best mainstream messaging app for privacy-sensitive communication. But even Signal stores credentials in the recipient's message history on device. Disappearing messages are timer-based, not read-triggered. For professional credential handoffs or any credential where “destroyed on read” is the right guarantee, a one-time encrypted link provides that property in a way Signal does not — and works for recipients who are not on Signal.
Try it now
No account required. Paste a credential, get a link, send it on Signal or any channel.
Create a secret link →