Five years ago, in “Share Passwords Securely with One-Time Secret” (13 June 2016), I wrote about One-Time Secret and d-note, which allow you to share a password—or any text—without worrying about it being intercepted or revealed in an email breach. This capability is essential when you’re in a group whose account access credentials need to be shared with people whose technical platform you might not even know.
Here’s how these password-sharing services work. You enter the password in a Web form, click a Generate button, copy the provided URL, and send the link to the recipient. When they click the link, the site shows them the password and immediately deletes the database entry to ensure no one else can ever use that link again. Although this is highly unlikely, if the recipient tells you that they couldn’t retrieve the link, you know someone intercepted your message, and you can change the password in question.
I’ve taken to using yet another similar service—1ty.me—which until recently allowed you to enter your email address and receive a notification of when the recipient accessed the password. I have no idea why the feature disappeared, but I liked getting the notification that the recipient had indeed retrieved the password.
In that article about One-Time Secret, I wrote:
The problem I solve with One-Time Secret is infrequent, one-off password sharing with people whose technical setup I seldom know. If you want to share passwords more regularly, better password managers like 1Password and LastPass simplify sharing as long as everyone uses the same app. In an ideal world, 1Password and LastPass would integrate the code from One-Time Secret or d-note into future versions to provide ad-hoc password sharing too.
It has taken a long time, but 1Password 7.9, which AgileBits recently released, finally adds secure password sharing, even with people who don’t use 1Password. The interfaces differ slightly between 1Password.com, the Mac version of 1Password, and the iOS and iPadOS versions, but here are the basics of how to use it.
Share a Password Securely
AgileBits did a good job of making secure password sharing easy:
- Select an item in your 1Password vault (in iOS, tap Categories if necessary).
- Tap the Share button (iOS) or click the Share button and choose Share (macOS and 1Password.com).
- Choose when the link should expire, either after a single view (like One-Time Secret and the others) or after some span of time. I recommend sticking with a single view in nearly all cases to ensure that the link stops working after one use—anything else opens it up to being seen by multiple people.
- Choose whether the link should be available to anyone or only to specific people. This tweak is an advancement over the competing services since you can specify that the recipient must enter their email address and receive a verification code before revealing the password. That raises the bar on interception since the attacker must also know the intended recipient’s address. However, it also makes retrieving the password a two-step process for the recipient, so you have to weigh the annoyance value against the added security.
- Tap or click Get Link to Share.
- In the next screen, tap or click the Copy button at the bottom, which helpfully changes to Copied.
- Send the link to the recipient however you like. For higher security, don’t send it in the same channel as the rest of the login information—for instance, send most of the login details in email and the password link via an end-to-end encrypted system like iMessage. That way, if an attacker does intercept or hack the recipient’s email before they see the message, the account remains secure.
Access a Shared Password
How you access a shared password depends on whether or not the sender restricted it to a specific set of people. If they didn’t, just click the provided link, tap or click the password field, and copy the password, as in the rightmost screen below. It’s best to verify that it works immediately and add it to your own password manager.
More interesting is what happens if the sender limited the set of recipients. In that case, follow these steps:
- Tap or click the provided link to open it in your Web browser.
- Enter your email address and click or tap Send Code.
- Switch to your email and copy the six-digit code from the message you received.
- Switch back to your Web browser and enter the code.
- 1Password displays the login information, with the password concealed; tap or click it to bring up options for Copy and Reveal.
- Copy the password and immediately try logging into the account in question to verify that it works and so you can save the password to your password manager.
Suppose someone gets hold of a 1Password shared password link but doesn’t enter the email address of an approved recipient. In that case, they’ll receive an email message telling them the item wasn’t shared with that address instead of the verification code.
The only thing I’d like to see AgileBits add to this system is an optional notification that a shared password was retrieved. I found that quite reassuring with 1ty.me because it helped me close the loop and know that my recipient was moving forward with the login task.
Otherwise, AgileBits has done an excellent job with this password-sharing feature, and it’s surprising that LastPass and other password managers haven’t done something similar.