Hacker News new | ask | show | jobs
by weird-eye-issue 1818 days ago
I use a similar service for when I need to share passwords in between the importance of a Netflix account and a production database.

For example, if I need to give access to an assistant to access my ShutterStock account to avoid paying ShutterStock an additional $350/month. I don't want that password sitting in email because that just isn't good practice. But I also don't need a full blown team password management system right now.
1 comments
AndrewDucker 1818 days ago
If the link is sitting in their email then surely that's just as unsafe as having the password there?
link
stophecom 1817 days ago
Not exactly. Sure, if your email is compromised someone could access the secret link, and ultimately your password. But now, you will know that someone else had access to your password, since the link won't work for you anymore. This is crucial information.

Btw. You can encrypt your secret with an optional password (which may be shared via a different channel).

link
weird-eye-issue 1817 days ago
No, it expires after they view it.
link
jgalt212 1817 days ago
Yes, this is a nice solution, but email security services do click on links before delivering to the client's email inbox. As such, you may need to set the link expiry click number to greater than 1. And then you lose the security due to being ephemeral. Of course, you can log the IP addresses of the clickers, but still you have the leak.
link
stophecom 1817 days ago
> email security services do click on links before delivering to the client's email inbox

True. This may be a problem. Like mentioned, common bots are being blocked currently, plus, I will be testing POST instead of GET requests (Since bots apparently don't do POST). An another obvious solution is to include some kind of user interaction before the secret is fetched. Although I don't like that solution so much. C.

link
weird-eye-issue 1817 days ago
In practice this has not been a problem. It's like saying you can't put unsubscribe links in emails because a bot will click on it... You just simply design the software so that doesn't happen.

Like I said, I've used a similar service that only allows you to view the secret once and I've used it dozens of times with no problems.

link
jgalt212 1816 days ago
> you just simply design the software so that doesn't happen.

How do you go about doing that? disregard security service clicks based on IP address blacklists, user agent sniffing, etc?

link
weird-eye-issue 1815 days ago
Nope you just use a POST request...
link