Ask HN: How do you share passwords simply and securely?

60 points by okidogi ↗ HN
I saw lots of password sharing (especially at work, between family members or friends, purposely or non purposely) with plain text in the wiki, or restricted permission of doc.

Are there existing tools (or non-existing tools) that can simplify password sharing experience securely?

(Password manager seems a way of securely sharing password, but it usually requires registration and is guarded behind a paywall. Not simple enough IMHO)

88 comments

[ 2.6 ms ] story [ 132 ms ] thread
Bitwarden is 100% FOSS and was audited by Cure53.

https://github.com/bitwarden

https://cure53.de/pentest-report_bitwarden.pdf

This takes care of the paywall problem, at least.

Alternatively, age (https://age-encryption.org) or Magic Wormhole (https://github.com/warner/magic-wormhole) should be viable choices.

Bitwarden is amazing. It's still a young project, but the fact that it's FOSS and that you can host it yourself, gives it a real compelling reason for personal and enterprise use.
Password managers are a godsend, but it’s still very challenging getting the older generation to use password managers. Anyone who says otherwise hasn’t given it a try.

Things like iOS/safari autogen/auto save has done A LOT to make passwords secure for the middle tier, but older gen is still a challenge.

I am using KeePass synced with Dropbox. Does Bitwarden have a way to import these as well as export out my stuff in case I opt to change to another password service?
I was doing KeePass over Dropbox for years. Keeping android in sync was a pain. The integration was too disruptive for my wife to adopt. Dropbox also started limiting the number of devices I can have synced. Bitwarden solves all of that. Cleaner UI, easier to use, always synced between devices, etc.
Yes, it supports import from Keepass. I did 1Password -> Bitwarden and then settled back on KeePassXC.

The import and export are not always frustration free but it does work. Do keep the old copies around for a while just in case something is amiss.

+1 for Bitwarden. I host it myself, it's got great support for apps on IOS / Android. The browser extension works well.
Bitwarden is quite young, but after a couple of years of solo-deving they are finally expanding, and the next year or two might see it get a lot of extra features that are very helpful - atleast if info that was talked about in their customer forum is accurate. I use it both at work and personally.
Ryan Huber wrote and open-sourced a single file web app called flashpaper for sharing secrets. Here's a version of it I've deployed - it's public to the internet, anyone can create a secret and share it via a one-time-use link:

https://flashpaper.logsnitch.com

Here's Ryan's code:

https://github.com/rawdigits/go-flashpaper

Flashpaper is great if you have a trusted server and a trusted operator running it. Seriously, don't use a random flashpaper server on the internet if you want to keep your secrets secret.
Gramma's maiden name followed by our street address and the current date
I've found that the simplest way to share secrets is through https://sharelock.io/new

Do not expect complete security-- the apparent ease of use comes with a lot of caveats. Ref: https://news.ycombinator.com/item?id=9110146

Then there's the excellent magic-wormhole for the more enterprising amongst us: https://news.ycombinator.com/item?id=14649727

Signal's disappearing messages is probably a better but different alternative to sharelock: https://signal.org/blog/disappearing-messages/

The reason sharing requires a registration is so it can be end-2-end encrypted. Anything less than that is way easier for hackers to get their hands on.
You can have e2e encryption without registration and you can have registration without e2e encryption - they are orthogonal to each other.
https://0bin.net is one of the few services that you can use without logging in + has a client-side encryption key in the URL.

Example paste: https://0bin.net/paste/pfznjakZKHYGZyHS#rSk3vYexHzFn-NPPtfJT...

We have a keepaas file that has the passwords for a number of client resources. The clients don’t roll their passwords very often.
(comment deleted)
An expiring message sent using an open source encrypted messenger (e.g. Signal, Wire, etc.).
GPG Encrypt + Slack or Keybase exploding message$
the answer changes depending on if you're talking about your Netflix Login or the login to the production work server
Not if you use the same password for both of them :')
Onetimesecret worked well for me. Can also be self hosted.
(comment deleted)
Hashicorps Vault has a feature called wrapping, this allows you to share a secret in a way that it can be opened once (with an expiration date as well)
I use Signal which was verified on different levels as "secure" according to Kevin Mitnick, so that's good enough for me.
A psafe3 file (https://www.pwsafe.org/) in a git repo.
My team has used a KeePassX database in a private git repo. Others use a company-wide install of Thycotic.

For other cases we have a company-wide install of Hashicorp's Vault, which has a secret-wrapping/sharing feature.

Decades ago, tech-savvy people used to make fun of office workers who would put their passwords on Post-It notes stuck to their computers.

Considering that the world has changed and the vast majority of password security issues today come in through the network, and not the front door, it's amusing to think that pen-and-paper is probably one of the better options these days. After all, if the bad guys have physical access to the computer, there's pretty much nothing you can do to stop them, anyway.

Agree! I actually tell family and friends to write passwords down in a notebook if they’re not savvy enough to use a password manager. What’s old is new again!
While post notes offer natural resistances to any non-physical threats, they lack the comfort and usability of having your password on your PC.

Assuming someone has access to the host, dumping passwords or keylogging them isn't very hard, therefore defeating the whole point.

If you do this please make it stronger than password123, letmein, monkey12.
So when I saw people using onetimesecret.com to share sensitive credentials at work (this is a free tool hosted by a third party that IMHO there was no reason to believe is trustworthy) I was a little bit taken aback, because to me this seemed only marginally better than putting the password in an email, and in many ways potentially much worse.

Then I realized, it's open source, and you can host your own instance if you want to trust onetimesecret a bit less:

https://github.com/onetimesecret/onetimesecret

Then I realized (further) there is a fork that has been containerized and prepped for use on OpenShift (and ostensibly Kubernetes upstream, as well?)

I have not set up my own hosted versions of these, but the fact that it's Open Source makes me feel hopeful that it should be trustworthy. And if you want to be lazy and don't run a hosted service, there is always the public version:

https://onetimesecret.com

Finally I realized, you can protect the exploding secret with a password, which I presume encrypts and decrypts in a localized context, in the browser (so data is not stored unsafely on onetimesecret's infrastructure in a way that it could be recovered by an adversary, without the shared secret at least, which granted could still be compromised.)

If it matters to you, you will need to verify all of that for yourself, but I think that all of those details are facts, (at least if I was onetimesecret I wouldn't have published the source unless all those things were true.)

Absolute layman here. Care to elaborate?
Sorry, I don't know how to best ELI5 the problem space as well as I probably should.

SHA256(x) is a hash function that transforms some string x (of any length) into a fixed size output.

SHA256(x) is deterministic. Every x maps to one 256-bit output.

SHA256(predictable junk) is going to look random, but will actually be predictable. This becomes security theater.

This looks fine to me?

I mean the process of putting secrets in a web site is fraught, but:

a) KDFs in general are deterministic, not sure about your point here.

b) As long as you have sufficient input entropy, using SHA256 to mix some stuff down to key size is fine. You don't need a heavyweight KDF unless your input entropy is really bad.

File an issue if you're really sure, I guess?

That's the ticket though: I suspect the entropy is really bad.

This is how encryption_key gets invoked: https://github.com/onetimesecret/onetimesecret/blob/8ba0511e...

This is where the entropy is sourced from: https://github.com/onetimesecret/onetimesecret/blob/8ba0511e...

The global secret comes from: https://github.com/onetimesecret/onetimesecret/blob/8ba0511e...

self.key comes from gibbler.base(36): https://github.com/onetimesecret/onetimesecret/blob/8ba0511e...

At no point is anything touching /dev/urandom, which is how cryptography keys should be generated.

(Additionally, HKDF-SHA-256 should be used for splitting a master key into multiple sub-keys.)

I don't know if I want to file an issue for this on Github or not. Usually when the crypto is this bad, there's a lot of cargo-culting and I don't have the emotional bandwidth to deal with a vim-crypt style debate.

Yeah I had a look and this is... not great.

I take it all back.

We are using a hosted version of onetimesecret for internal usage.

We mainly used it on Slack. We made a slash command (/secret) to easily share passwords on Slack.

So the only thing you need to do is write /secret YourPassword.

After that, you need to be authenticated via Google SSO as we added a proxy. Yes, we know, the password goes through Slack.

... aren't you then sharing it with the Slack (the service, not the room) too?
If you are just wanting to share the secret once (not persistently) this works really well: https://onetimesecret.com/

You can use the public version or host yourself.

magic-wormhole was our standard answer to this problem.
You don’t.

Whatever tool you want people to collectively use, everyone should have their own account to authenticate, there’s absolutely no need to share a password ever. It’s a lazy insecure solution implemented by people who either can’t be bothered to do it the correct way, are too cheap to pay for a multi account subscription and rather compromise their own security or simply unskilled and don’t know that everyone can use their own account.

You're talking about what should be the case, not what is the case.

In the real world, just as there are plenty of services with poor password practices (e.g. restricting people to numeric PINs when longer-length alphanumeric passwords would be much better) there are also services that don't offer multiple user profiles tied to the same account.

It's fine to point out that these services should implement such a feature, but OP's question is about what to do if you need shared access to a service that hasn't yet implemented such a feature.

(comment deleted)
> everyone should have their own account to authenticate, there’s absolutely no need to share a password ever. It’s a lazy insecure solution implemented by people who either can’t be bothered to do it the correct way, are too cheap to pay for a multi account subscription and rather compromise their own security or simply unskilled and don’t know that everyone can use their own account.

We develop iOS applications. We have an organisation developer account with Apple that allows us to give each of our team members their own login, complete with varying permissions levels.

On a fairly regular basis, Apple updates their license agreement. This requires the account owner to read and agree to the new terms before we can make changes to our account. This is the one permission that cannot be delegated. It has to be the account owner and nobody else on the team can do it. Furthermore, that account must be protected with MFA.

We also develop Android apps. We have a similar account on the Play Store. We'd like to connect our API servers to the Google Play developer account so that we can verify receipts for in-app purchases to determine that they are authentic. Doing so requires the account owner to enable this API. No other team member is allowed to do it.

The account owner is on holiday / off sick / hit by a bus. How do we do this?

We have an old android phone for Authy MFA and SMS MFA. It lives in a safe and a few people can get access to it.
This was my first instinct. But what about something like a company Twitter account?
For Twitter, use TweetDeck. You can give other users the ability to post without sharing the password.

Any competent service provider should be able to set up something similar.

Weird that it wasn't mention yet, but you should NEVER share passwords between people at work.

Employees should have their own user accounts for every service used, managed by some identity provider.

Anything else is hard to audit, hard to (de-)provision, and it's not secure.

---

This of course doesn't apply for sharing between friends, or with really small businesses, where only a few people share them.

You do need to share passwords to common accounts.
This is just not how corporations work, every corporation needs some type of secret sharing. CyberArk is a billion-dollar business.

It includes an audit trail.

I mean you're right but that doesn't describe the reality.

* The AWS root account credentials.

* Redis

* Password protected certs.

* The Ansible vault password.

* The local admin account on your LDAP/AD server.

* IPMI devices that only have a single account.

Privnote https://privnote.com/ is simple and does not require any sign up to create simple one-time links which are self destructive
Nobody else on my team wears a tinfoil hat like I do, but I'd be happy with https://www.passwordstore.org/ with the data stored on a private git repo that we can all access.

This is what I use for my own passwords and I'm able to sync them across devices, which is nice.

I'm also using this excellent tool, along with a nice Emacs integration for it (https://github.com/NicolasPetton/pass) and I really like it for the control and flexibility it gives, especially in the context of a developer's environment.