Security Best Practices
Follow these guidelines to maximize the security of your shared secrets with PassLink.
Expiration Strategy
| Scenario | Recommended Expiration |
|---|---|
| Sharing a password with someone online right now | 1 hour |
| Sharing with a colleague in the same timezone | 4 hours |
| Cross-timezone async sharing | 24 hours |
| Sharing with someone who may not check soon | 7 days |
Rule of thumb: Always use the shortest expiration time that gives your recipient enough time to view the secret.
Password Protection
Add a passphrase to your secrets when:
- The secret is highly sensitive (production DB credentials, root keys)
- You're sending the link via an unencrypted channel (email, SMS)
- The recipient's inbox may be compromised or shared
- You want two-factor assurance — link + passphrase
Important: Send the passphrase via a different channel than the link itself. For example: link via email, passphrase via WhatsApp.
View Limits
- Single-view (recommended): The secret is destroyed immediately after the first view. Best for one-to-one sharing.
- Multiple views: Use sparingly. Only when you expect the recipient to need to re-read the secret (e.g., a complex configuration).
Channel Security
| Channel | Security Level | Notes |
|---|---|---|
| Slack DM | ✅ Good | Encrypted in transit, but stored in Slack's servers |
| ✅ Good | End-to-end encrypted | |
| ⚠️ Moderate | Not encrypted at rest; add a passphrase | |
| SMS | ⚠️ Moderate | Vulnerable to SIM swapping; add a passphrase |
| Public Slack channel | ❌ Avoid | Anyone in the channel can click the link |
| Social media DM | ❌ Avoid | Low trust, high exposure |
Corporate Policy Recommendations
If you're using PassLink in a team environment:
- Standardize on single-view + 4h expiration for routine credential sharing
- Require password protection for production secrets
- Train your team to never paste secrets directly in chat — always use PassLink
- Rotate secrets after sharing — treat shared credentials as potentially exposed
- Use separate channels for link and passphrase delivery
What NOT to Do
- ❌ Never share a PassLink URL in a public channel or forum
- ❌ Never screenshot a revealed secret — copy it to your credential manager
- ❌ Never reuse the same link for multiple recipients — create a new one each time
- ❌ Never share passphrase and link in the same message