Send secrets more securely

Sending passwords (or other confidential information like credit card numbers, sensitive links etc.) in emails or IM can be a security problem since they are stored in many places and they could be eavesdropped on insecure connections.

WhisperPassword diminishes this risk.

Send your secret text in 3 easy steps (free, no registration required)

1. Enter the secret text below

:

Optionally, enter your email below if you want to be notified when and from where the secret text was retrieved. This email address is not disclosed to anyone. Throw-away accounts like @mailinator.com are fine.
Enter an optional tag if sending several secrets within 48 hrs.

:

2. Click the button


3. Send the link and key below to the person receiving your secret


How WhisperPassword works and why it is better:

WhisperPassword mitigates (doesn't solve) the security problem of sending passwords or other secret information in the clear.

1) The secret text is encrypted right here in the browser with very strong encryption using a random key; the code doing the encryption is the Stanford Javascript Crypto Library. The secret text is never transmitted or stored anywhere. Only the encrypted text and an ID (optionally also an email) is sent to our server; the key is not sent to our server so we cannot decrypt and get the secret text.

2) You send the recipient the link containing a random ID and the key to decrypt the secret text. You can send these two pieces separately in different channels for added security. The link and key are valid for only 48 hours.

3) The recipient clicks on the link and enters the key in the page. The page in the recipient's browser decrypts and shows the secret text, if it hasn't been retrieved before. The link and key work one-time only and therefore the secret can only be disclosed once; after the first disclosure the encrypted data is deleted from the server.

Optionally if you entered an email address, you get a confirmation email message with information about when the secret text was accessed in our server and from what IP address.

The link and key could still be intercepted but if they are used the receiver (and optionally the sender) would know if the password was already revealed.

Other sites that encrypt in the browser and give you just a link are flawed; since the encryption key is in the URL, when the recipient uses it the key is sent to the server where the encrypted secret is. This is not a good idea since a malicious or hacked site could use the key at that moment to decrypt the secret.


Problems? Questions? Suggestions? Please contact us at: (click to reveal email address)   Follow whisperpassword on Twitter