Many years ago, I was concerned about how passwords were sent in the organization where I worked. We didn’t have any standardized solution, so various methods such as mobile texts, emails, and chat were used – methods that weren’t necessarily secure. Besides the issue of unencrypted transfer, passwords remained in emails, chat logs, or on mobile phones unless the user deleted them, which wasn’t always the case.
To resolve this problem, and as a big fan of Open Source (especially when budget is an issue), I started researching and eventually found software called Yopass (https://github.com/jhaals/yopass).
As stated on their GitHub:
“Yopass is a project for sharing secrets in a quick and secure manner. The sole purpose of Yopass is to minimize the number of passwords floating around in ticket management systems, Slack messages, and emails. The message is encrypted/decrypted locally in the browser and then sent to Yopass without the decryption key, which is only visible once during encryption. Yopass then returns a one-time URL with a specified expiry date.
There is no perfect way of sharing secrets online, and there is a trade-off in every implementation. Yopass is designed to be as simple and ‘dumb’ as possible without compromising security. There’s no mapping between the generated UUID and the user that submitted the encrypted message. It’s always best to send all the context except the password over another channel.”
Demo available here. It’s recommended to host Yopass yourself if you care about security.
- End-to-End encryption using OpenPGP
- Secrets can only be viewed once
- No accounts or user management required
- Secrets self-destruct after a specified number of hours
- Custom password option
- Limited file upload functionality
After trying their demo, I really liked the idea of allowing the link to be opened only once. This prevents the password from being stored in emails or SMS messages, as if someone gains access to the message and clicks on the link, it won’t open anything. The option to set an expiration date protects against the receiver not opening the link at all and still storing it somewhere. And with all transmissions encrypted with a certificate, not only passwords can be sent this way, but also messages or even files. The additional protection with your own password to secure the message is a benefit as well.
I created a small Azure Ubuntu VM (B1ms series), which costs very little. The Bs series VM is inexpensive but has a drawback: the series is burstable – if you have high CPU utilization for a longer period, the maximum performance is reduced, and your server becomes extremely slow. However, in my case, this didn’t matter, and I never experienced any issues with it.
Since Yopass comes as a Docker image, the installation was relatively straightforward. The only problem I encountered at that time was using Let’s Encrypt for automatic certificate issuance. I ended up purchasing a certificate, but this wasn’t a big issue. I can see now that this problem has been resolved.
Yopass is extremely easy to use, and everyone in my organization started sharing secrets this way. We couldn’t be happier. We had only one issue: some email link protection solutions opened the link before the user received it in their inbox. This, by design, deleted the secret, so the receiver wasn’t able to see the password. However, this was resolved by adding the Yopass URL to the whitelist, so it was not a major issue.
Nowadays, this way of sending secrets is quite common, and many password managers allow it. However, I have a sentimental attachment to Yopass; it was very reliable and effective, so I would recommend it as a solution for sending passwords securely.
Please let me know if you have any comments or questions.