About

passwordsender.com was created because I needed a simple, lean tool to send passwords to clients and partners, without the hassle of sending over multiple e-mails that end up in the same inbox anyway, or text messages, chat messages. These all have in common that the password is saved in the message history, and that is not good for security. Passwords should be saved in vaults, not chat histories!

Are password links safe?

passwordsender.com is safer than putting password in e-mails, chats, mobile text message because:

The password link can only be retrieved once. If a man-in-the middle retrieves the password link, and retrieves the password, the intended recipient will notice that the transfer failed, and will notify the sender.
The password link can only be used within a limited time. If the link is found in a e-mail history, the password cannot be retrieved after the short expiry time (up to 14 days).
The password is sent without context. The password link can reveal a password, but it does not say where the password goes. That is the context. It is hence still a good idea to send the link without the context through a separate communication method.

Is passwordsender.com safe?

Yes! The password is encrypted in the browser, and saved encrypted in our database. The key has two parts, and one of the two parts is stored in the password link, and will never be sent to the server. Hence, if the database is hacked, the intruder will not find both parts of the key. Further, passwordsender.com is entrusted with a password completely without context. The key is saved, but the keyhole is unknown. It is not known who the sender is, who the receiver is, or what the purpose of the password is. Hence, if the database is hacked, and they would have the second part of the key, it should not matter.
Passwordsender.com is designed to be secure:

The password is encrypted in the browser, one part of the key is stored, the other part of the key is encoded in the password link, and is never sent to passwordsender.com. Only at retrieval, when the pieces come together, the password can be decrypted in the browser
The browser's built in AES-256-GCM encryption is used
The dependencies are kept to a minimum
Standardized tools are used for database and hosting
It is updated regularly with the latest patches
Industry standard guardrails are in place

Is passwordsender.com free?

Yes, as long as the costs of running it is modest and within my budget, it will remain free.