A Simple, Secure, Ephemeral Way to Share Passwords

Friday, March 25, 2016

My job frequently requires me to distribute passwords to people. Those people could be coworkers or employees from another company or organization. Obviously passwords are something that need to be transmitted securely, but I didn’t have a simple, secure way to do this.

Because I have to distribute passwords to coworkers and employees from other companies and organizations, I needed to send those passwords over the most common communication platform: email. Obviously, it is extremely reckless to send passwords in plain text through email. Even today, you still can’t be sure the remote party has encrypted email connections and, unfortunately, encrypting the email contents isn’t simple enough to garner widespread adoption.

I needed a simple, secure, and ephemeral way to share passwords over email and other communication platforms.

Searching the web reveals a handful of options, but nothing I was interested in setting up. Most of the options required both parties to install new software; I simply wanted to use a web browser.

Finally, I discovered SnapPass and decided it was the tool I was looking for.

SnapPass was originally created by Owen Coutts and Ryan Park and has been maintained by Dave Dash and Pinterest. They describe it as “Snapchat for passwords”. It is a self-hosted Python Flask web application that uses redis for backend ephemeral storage. The code is easy to grok, and the web application itself is relatively easy to get up and running.

Using the web application is simple: you navigate to a secure URL, input a password into a text field, select an expiration time, and click generate URL. You are presented with a secure, unique URL to share with your intended recipient. The URL can only be accessed once. If your intended recipient was able to view the URL and the password, you can rest assured only they saw the password. If your intended recipient was not able to view the URL and the password, the URL either expired based on the expiration time you set or an unintended recipient saw the password and there is a potential leak in whatever communication platform the URL was sent over.

When I first wrote this post, the SnapPass GitHub repository had not been updated since November 4, 2014. Because of this, I maintained my own fork.

However, as of July 18, 2016, updates to the SnapPass GitHub repository have picked up again. Because of this, I have decided to do the proper thing and work with the contributors to incorporate the following changes on top of their repository instead of my own:

  • UI improvements with a responsive design and mobile viewport
  • Introducing an intermediary page to fix an issue with chat clients (Facebook Messenger, Slack, iMessage, etc.) issuing a GET request and deleting the password before the end user could see it
  • Adding an API

To quickly get started with SnapPass, there is a docker-compose.yml file available to use. Using this is only recommended for development and testing. For production, you still need to frontend SnapPass with apache or nginx with an SSL certificate.

Additionally, I still run and maintain my own hosted version of SnapPass which currently runs the code from my own fork of SnapPass. Once I work with the contributors to incorporate the changes above, I will switch my own hosted version to the code from the main SnapPass GitHub repository.

References

How To Safely Share Passwords With Others Who Need Them



comments powered by Disqus