Hacker News new | ask | show | jobs
Ask HN: How to safely share passwords with normal users online
6 points by oseibonsu 1812 days ago
I thought this would be simple, but how do you safely share passwords with normal users online. Services like 1Password require that you create a guest user with a vault. I'd like to use something that is SOC2 compliant. And it seems like if I wanted to use something like OneTimeSecret https://github.com/onetimesecret/onetimesecret I'd have to host it myself to be sure it was safe. What do you guys use?
4 comments
369548684892826 1812 days ago
I'm not sure about SOC2 compliance, but I'd be surprised if it's compliant for you to be generating user's passwords for them. Users should be the only person to know their password.

You could email out a password that only allows the user to change their password, nothing else. Their account won't be accessible until they choose and set their own password. If the initial password is intercepted it doesn't matter (probably, depends on your app) because the account won't have any user data in it yet.

link
oseibonsu 1812 days ago
I should be more broad. Any type of secret that needs to be sent to a user.
link
_448 1812 days ago
How are the users going to access the password? Via mobile app, browser, desktop app?

One way is to generate a temporary public-private key on the user-agent. Let the user-agent send the public key to the server. The server encrypts the data with the public key, sends the encrypted data to the user-agent and then deletes the public key. The user-agent then decrypts the received encrypted data using the private key. Once the data is decrypted, the user-agent deletes the public and private keys.

link
0x54MUR41 1811 days ago
Bitwarden [0] released a product called Bitwarden Send [1] a couple months ago. Basically, this product helps you to send sensitive information directly to anyone. The information is encrypted end-to-end. Beside that, you can specify expiry time, deletion date, and a password to open your information. It fits with your use case.

[0]: https://bitwarden.com

[1]: https://bitwarden.com/products/send/

link
huanwin 1812 days ago
I've used Privnote[0] to easily and quickly send self-destructing text-only notes with sensitive information to users both technical and not. Their privacy policy[1] explains how the information is kept safe.

[0]: https://privnote.com [1]: https://privnote.com/info/privacy

link
saluki 1812 days ago
This app is easy to use. https://1time.app/
link