Show HN: Temp.pw

I disagree with this take because of the way people share passwords OOB right now meets zero security criteria.

- signal requires both users have signal and those personal contacts, as many regulated businesses can't use signal.

- Keybase isn't something people whose world is spreadsheets and slide decks encounter.

- 1Password requires an app or extension install.

Commercial options are so not economical that the OP went and built something.

I've worked on authenticator products, some which were standards candidates, along with a lot of identity and security architecture, and at limited scales, there is no risk in a third party generating the secret you're going to use for something that said party has no way to find.

Honestly, a lot of security concern reduces to bullshit, and for a limited set of use cases, like sending a password protected zip file between organizations, this online tool is pretty good. I commented elsewhere on the thread about some conditions, but really, this tool is just what most people need.

friction from cumbersome security workflows that people avoid creates more risk than using useful tools with some risk in them. pathological risk aversion is not security value either.

I'd like you to walk someone whose job isn't tech through generating a keypair, explaining to their counter party how to do the same, and they're going to exchange the secret using GPG for a zip file they are emailing. In 99% of cases it's stupid and discredits security as a field to raise histrionic criticisms and concerns.

Some secrets are more secret than others, and for low sensitivity tokens like temporary passwords, the risk/reward on this solution disqualifies the objections in your comment.

Is a disappearing message on Signal protected from screenshots? Otherwise I think a disappearing message security is actually lower than a non-disappearing one because of the people that would screenshot it (I know I would w/o any hesitation; I hate data that disappears).

yes truly awful, I should be ashamed for making it. Why do I make anything. Thank you for the feedback

yes I made it super simple on purpose, but pwpush looks cool!

I don't know why the share button became that color. I actually made this years ago because I needed it for my company. But then file.io was acquired (which I was using for the backend), and so I had to recently switch to using aws as the backend. So I vibe-coded a new backend api for aws in the last couple of months. I also acquired the domain temp.pw - previously used temporary.pw (which still works).

because it is about sharing a one-off password with someone so that you don't have to worry about it getting stored in chat history

The "share which expires after one use" part requires the password either be visible to the server or encoded in the URL (also visible to to the server) unless you also want to share a password/key to access the password or, in which case the site doesn't make sense, or you want to require both folks are online at the same time to make a brokered WebRTC connection and share via that channel.

I think the intent is you have some crap messaging platform like email or SMS without and want to send a one time access link to the password. I'm not really sure how large the intersection of people who care enough about security to want that but not enough to want to avoid a 3rd party server and hoping first access of the link contents is by the intended target is though.

It has to, how would it deliver the password to the URL’s recipient otherwise?

I suppose to keep it fully stateless you could encode the password in the URL itself somehow, but then that would defeat the purpose of not having the secret hang around in perpetuity.

when you want to share a password with someone but don't want the password to remain in chat history