Friday, March 25, 2016
My job frequently requires me to distribute passwords to people. Those people could be coworkers or employees from another company or organization. Obviously passwords are something that need to be transmitted securely, but I didn’t have a simple, secure way to do this.
Because I have to distribute passwords to coworkers and employees from other companies and organizations, I needed to send those passwords over the most common communication platform: email. Obviously, it is extremely reckless to send passwords in plain text through email. You still can’t be sure the remote party has encrypted email connections and, unfortunately, encrypting the email contents isn’t simple enough to garner widespread adoption.
I needed a simple, secure, and ephemeral way to share passwords over email and other communication platforms.
Searching the web reveals a handful of options, but nothing I was interested in setting up. Most of the options required both parties to install new software; I simply wanted to use a web browser.
Finally, I discovered SnapPass and decided it was the tool I was looking for.
SnapPass was originally created by Owen Coutts and Ryan Park and has been maintained by Dave Dash and Pinterest. They describe it as “Snapchat for passwords”. It is a self-hosted Python Flask web app that uses redis as backend ephemeral storage. The code is easy to grok and the web app itself is relatively easy to get up and running.
Using the web app is simple: you navigate to a secure URL, input a password into a text field, select a time-to-live, and click submit. You are presented with a secure, unique URL to share with your intended recipient. The URL can only be accessed once. If your intended recipient was able to view the URL and the password, you can rest assured only they saw the password. If your intended recipient was not able to view the URL and the password, the URL either expired based on the time-to-live you set or an unintended recipient saw the password and there is a potential leak in whatever communication platform the URL was sent over.
The only issue with the original SnapPass is the lack of updates. At the time of writing this post, there haven’t been any updates in over a year. Despite that, I knew this was the tool I was looking for, and the beauty of open source allowed me to fork it and update it to suit my needs.
Some of my more notable updates are:
If you want to quickly self-host my fork of SnapPass, I have put together an all-in-one Dockerfile here. Follow the README to get up and running. Additionally, if you prefer to break out the services across many Docker containers, you can use my apache2 Docker container, my individual snappass Docker container, and the official redis Docker container to create the entire stack. This is how I run my own hosted version of SnapPass.
Or, if you just need a simple, secure, ephemeral way to share passwords right now, feel free to use my own hosted version. But wait, you might be thinking, how can I trust you? Well you can’t. I’ve never met you and you’ve never met me. I could very well dump the redis database and see the passwords anyone has temporarily stored. But, why would I? A password on its own is useless to me, and I couldn’t do anything with it if I wanted to.
I am constantly trying to improve my fork of SnapPass. My goal is to keep true to the Unix philosophy and to continue improving something that does one thing well. I won’t promise to merge your pull requests, but if you have notable improvements or ways to make the web app more secure, please submit a pull request.