How to share passwords securely

Why common methods fail

Email

Email is the most widely used channel for sharing credentials — and one of the most dangerous. Every message you send is stored on at least three servers: yours, your email provider's, and the recipient's. Many organisations also archive email indefinitely for compliance reasons. A password you emailed two years ago is almost certainly still sitting somewhere in a search index.

Beyond storage, email accounts are a primary target for phishing and credential stuffing attacks. If the recipient's inbox is ever compromised, every password you have sent them becomes accessible — not just recent ones, but every message in their archive.

Slack and team chat

Slack, Microsoft Teams, and similar platforms offer a false sense of security. Messages feel transient, but they are stored persistently and searchable by default. Many workspace plans retain full message history indefinitely. Administrators, compliance tools, and third-party integrations can all access message content. A password shared in a direct message is not private in any meaningful technical sense.

SMS and WhatsApp

Text messages are stored on carrier infrastructure and often backed up to cloud services (iCloud, Google Drive) without users realising. WhatsApp messages, while encrypted in transit, are stored on the recipient's device and frequently backed up to cloud storage in plaintext. If either device is lost, stolen, or forensically examined, those messages are recoverable.

Password manager sharing

Many password managers support credential sharing between users. This is genuinely secure for ongoing relationships — colleagues on the same team, for example. But it requires both parties to use the same tool, creates a persistent shared record, and is overkill when you simply need to hand off a credential once to someone outside your organisation.

What “secure” actually means when sharing a password

A genuinely secure handoff of a credential needs to satisfy three requirements:

• —Encryption in transit and at rest. The credential should never travel as plaintext, and should never be stored as plaintext — not on your device, not on a server, not in a third party's logs.
• —Limited access. Ideally, the credential should be accessible to exactly one person, exactly once. Every additional copy, backup, or access point is an additional attack surface.
• —No persistence. After the recipient has the credential, it should cease to exist anywhere else. Credentials that linger in archives, logs, or search indexes remain vulnerable indefinitely.

Email, chat, and SMS fail on all three. A one-time encrypted link satisfies all three by design.

How one-time encrypted links work

A one-time secret link is a URL that contains an encrypted secret. When the recipient opens it, two things happen simultaneously: the secret is decrypted in their browser and displayed, and the underlying data is permanently deleted from the server. Open the same link a second time and there is nothing left to retrieve.

The encryption happens in your browser before anything is sent to a server. The decryption key never leaves your browser — it lives in the URL fragment (the part after the #), which browsers never include in HTTP requests. This means the service storing the ciphertext cannot decrypt it. Even if the server were breached, an attacker would find only encrypted blobs with no keys.

This architecture is called zero-knowledge: the service operator has zero ability to read what you shared.

Step-by-step: sharing a password with CYPH3RDROP

1. 01Go to cyph3rdrop.com and paste the password into the form.
2. 02Click Generate. Your browser encrypts it locally using AES-256-GCM. Nothing is sent in plaintext.
3. 03Copy the one-time link that is generated.
4. 04Send the link to the recipient over any channel — email, Slack, SMS, whatever is convenient.
5. 05They open it once. The password appears. The link is immediately and permanently destroyed.

No account required. No sign-up. The entire process takes under a minute.

A note on channel choice for the link itself

Once the secret is encrypted, the link is safe to send over any channel. The link contains only ciphertext and a key fragment that is never sent to the server. An attacker who intercepts the link cannot extract the password without opening it first — which burns the link and alerts the intended recipient that something went wrong.

That said, use a reasonably trusted channel for the link. If someone opens it before the recipient does, the recipient will know immediately because the link will be dead.

Common questions

What if the link expires before the recipient opens it?

CYPH3RDROP links expire after 7 days if unopened. After that, the encrypted data is permanently deleted from the server. If your recipient misses the window, you will need to create a new link.

Is it safe to send the link and the password hint over the same channel?

Avoid sending both in the same message. If you want to give the recipient context about what the link contains, send the hint separately — a different message, or a different channel. The goal is to avoid having both pieces of information in the same place.

What if I need to share the same password with multiple people?

Generate a separate link for each person. Each link is independent — burning one does not affect the others. This also lets you track whether each recipient has opened their link.

Can I use this for things other than passwords?

Yes. One-time links work for any text-based secret: API keys, SSH keys, private notes, .env file contents, database credentials, or any sensitive information you need to hand off once without leaving a trace.

The bottom line

Passwords shared over email or chat are never truly gone. They sit in archives, search indexes, and backups — sometimes for years. A one-time encrypted link eliminates that exposure entirely: the credential is encrypted before it leaves your device, stored only as ciphertext, and destroyed the moment it is read. It is the closest thing to handing someone a note and watching them read it in front of you.