A Simple, Secure, Ephemeral Way to Share Passwords

Friday, March 25, 2016

My job frequently requires me to distribute passwords to people. Those people could be coworkers or employees from another company or organization. Passwords are something that need to be transmitted securely, but I didn’t have a simple, secure way to do this.

Because I have to distribute passwords to coworkers and employees from other companies and organizations, I needed to send those passwords over the most common communication platform: email. It is extremely reckless to send passwords in plain text through email. Even today, you still can’t be sure the remote party has encrypted email connections and, unfortunately, encrypting the email contents isn’t simple enough to garner widespread adoption.

I needed a simple, secure, and ephemeral way to share passwords over email and other communication platforms.

Searching the web reveals a handful of options, but there was nothing I was interested in setting up. Most of the options required both parties to install new software; I simply wanted to use a web browser.

Finally, I discovered SnapPass and decided it was the tool I was looking for.

SnapPass was originally created by Owen Coutts and Ryan Park, and is maintained by Nicholas Charriere and Yongwen Xu from Pinterest. They describe it as “Snapchat for passwords”. It is a self-hosted Python Flask web application that uses redis for backend ephemeral storage. The code is straightforward to understand, and the web application itself is relatively easy to get up and running.

Using the web application is simple: you navigate to a secure URL, input a password into a text field, select an expiration time, and click generate URL. You are presented with a secure, unique URL to share with your intended recipient. The URL can only be accessed once. If your intended recipient was able to view the URL and the password, you can rest assured only they saw the password. If your intended recipient was not able to view the URL and the password, the URL either expired based on the expiration time you set, or an unintended recipient saw the password and there is a potential leak in whatever communication platform the URL was sent over.

When I first wrote this post, the SnapPass GitHub repository had not been updated since November 4, 2014. Because of this, I maintained my own fork.

However, as of July 18, 2016, updates to the SnapPass GitHub repository have picked up again. So, I have decided to work with the maintainers and contributors to incorporate the following changes on top of their repository instead of just my own:

  • UI improvements with a responsive design and mobile viewport
  • Introducing an intermediary page to fix an issue with chat clients (Facebook Messenger, Slack, iMessage, etc.) issuing a GET request and deleting the password before the end user could see it
  • Adding an API

To quickly get started with SnapPass, there is a docker-compose.yml file available to use. Using the docker-compose file is only recommended for development and testing. For production, you will need to frontend SnapPass with apache or nginx with an SSL certificate.

Additionally, I continue to run and maintain my own hosted version of SnapPass which will run code from the main SnapPass GitHub repository, but also incorporate code from my SnapPass GitHub repository that might not yet have been merged in the main repository.

References

How To Safely Share Passwords With Others Who Need Them

comments powered by Disqus