Ask HN: How to safely share passwords with normal users online
I thought this would be simple, but how do you safely share passwords with normal users online. Services like 1Password require that you create a guest user with a vault. I'd like to use something that is SOC2 compliant. And it seems like if I wanted to use something like OneTimeSecret https://github.com/onetimesecret/onetimesecret I'd have to host it myself to be sure it was safe. What do you guys use?
6 comments
[ 0.23 ms ] story [ 26.1 ms ] threadYou could email out a password that only allows the user to change their password, nothing else. Their account won't be accessible until they choose and set their own password. If the initial password is intercepted it doesn't matter (probably, depends on your app) because the account won't have any user data in it yet.
One way is to generate a temporary public-private key on the user-agent. Let the user-agent send the public key to the server. The server encrypts the data with the public key, sends the encrypted data to the user-agent and then deletes the public key. The user-agent then decrypts the received encrypted data using the private key. Once the data is decrypted, the user-agent deletes the public and private keys.
[0]: https://privnote.com [1]: https://privnote.com/info/privacy
[0]: https://bitwarden.com
[1]: https://bitwarden.com/products/send/