Best Practices for Sharing Secrets
Follow these guidelines to maximize security when using PassLink.
Do's ✅
Use short expiration times
- Set the shortest expiration that makes sense for your situation
- 1 hour is ideal for real-time sharing with someone online
- Never use 7-day expiration for highly sensitive data
Communicate through separate channels
- Send the PassLink URL via one channel (e.g., email)
- If using password protection, send the passphrase via a different channel (e.g., SMS)
- This ensures that compromising one channel doesn't reveal everything
Verify recipient identity
- Before sharing, confirm you're sending to the right person
- For critical secrets, consider using password protection as an extra layer
Use password protection for sensitive data
- API keys, production credentials, and financial data should always use a passphrase
- Choose a passphrase the recipient knows or can verify through a separate channel
Don'ts ❌
Never share the passphrase in the same message as the link
- This defeats the purpose of password protection
- Always use a separate channel for the passphrase
Don't post PassLink URLs publicly
- Even though secrets self-destruct, a public URL could be accessed by anyone
- If you need to share with a group, create individual links
Don't screenshot the secret
- The whole point is ephemeral sharing
- If you need persistent access, store the secret in a password manager