General

The Best Way to Securely Share Passwords (And Why Most People Get It Wrong)

#secure-sharing, #passwords, #best-practices
The Best Way to Securely Share Passwords (And Why Most People Get It Wrong)

Everybody needs to share a password at some point. A Wi-Fi credential for a guest. A staging server login for a contractor. API keys for a new team member. Database credentials for an auditor.

And almost everybody does it the same way: paste it into an email, drop it in Slack, or text it.

It works. Until it doesn’t.

The Problem With How We Share Passwords

When you send a password through email or a messaging app, that credential now lives in multiple places indefinitely — your sent folder, their inbox, the messaging server’s database, backups, email archives, possibly synced to multiple devices. That one password has gone from existing in one place to potentially dozens.

This isn’t a theoretical risk. Credential exposure through persistent messages is one of the top vectors in data breaches. An old Slack DM from 2023 containing a database password is just as dangerous in 2026 if that password hasn’t been rotated — and let’s be honest, it probably hasn’t been.

The best way to securely share passwords is to make sure they don’t persist after they’ve been received.

The concept is straightforward: instead of sending the password directly, you generate a link that contains the password. The recipient clicks the link, sees the password, and the link self-destructs. Gone. No copies lingering in inboxes or message histories.

This is the best way to send passwords whether you’re sharing them with colleagues, clients, or anyone else — because the credential simply stops existing after it’s been read.

What makes this better than the alternatives:

  • No persistence. The password doesn’t live in email archives, chat logs, or backup tapes.
  • No account required. The recipient doesn’t need to install anything or create an account. They click a link.
  • Audit trail. You can see when the link was opened, how many times, and whether it expired unused.
  • Works everywhere. Send the link through whatever channel you already use — email, Slack, Teams, text. The channel is just the delivery mechanism. The credential itself is behind the one-time link.

This last point matters a lot when you’re sharing passwords with clients. Your client doesn’t want to install your company’s password manager. They don’t want to create an account on a tool they’ll use once. They want to click a link and get the credential. Done.

How Password Pusher Works

Password Pusher is built specifically for this. Here’s the workflow:

  1. Go to pwpush.com
  2. Paste your password or secret
  3. Set how many views and how many days before it expires
  4. Click “Push it!” — you get a unique link
  5. Send that link to your recipient

That’s it. When they open the link, they see the password. After the view limit or time limit is reached, the data is deleted. Not archived. Deleted.

A few things that matter in practice:

Retrieval step. When you send a link via Slack, Teams, or iMessage, URL preview bots will automatically fetch the link before the recipient even sees it. If the tool counts that fetch as a “view,” the secret might already be gone. Password Pusher includes a one-click retrieval step that stops bots from burning your links.

Passphrase protection. For particularly sensitive credentials, you can add a passphrase. The recipient needs both the link and the passphrase to see the content — a clean two-factor delivery.

Auto-dispatch. If you’d rather not deal with sending the link yourself, Password Pusher can email it directly to the recipient on your behalf.

Why 345,000+ People Use It Every Month

Password Pusher has been in production since 2011. Over fourteen years. That’s a long time for a security tool — and longevity matters when you’re trusting something with credentials.

The core application is fully open source on GitHub. Every line of the security-critical code — the encryption (AES-GCM 256-bit), the data handling, the expiry logic, the audit logging — is auditable by anyone. Over 100 million secrets have been shared through the platform.

You can use it for free at pwpush.com with no account required. Or you can self-host it on your own infrastructure if you prefer to keep everything in-house.

Apnotic and Pro Subscriptions

In 2024, I founded Apnotic, LLC to put a proper company behind Password Pusher. The project had grown well beyond a side project, and it needed the support structure to match.

Password Pusher Pro is the subscription tier for teams and organizations. It adds team collaboration, custom domains, white-label branding, file sharing, and workspace-level policies — the features that matter when you’re using Password Pusher across a team rather than individually.

Pro is available both as a hosted service on pwpush.com — with dedicated EU and US data regions — and as a self-hosted license for organizations that need credentials on their own infrastructure.

The free tier isn’t going anywhere. It’s the foundation of the project and always will be. Pro is for the organizations that need more.

Peter Giacomo Lombardo — Apnotic, LLC