Temporal.PW can convert a password into a unique temporary secure URL that is safe to send via E-Mail.
I made this because I needed a simple way to send passwords to people with whom I didn't already have end-to-end encryption established.
How to use it:
- Enter a good, long, random password into temporal.pw, or click "Generate a random password".
- E-Mail the temporary URL to someone:
- If they're able to view the password: you know that nobody else was able to view it, and you know that that URL can't be used again later to determine the password.
- If they see a "This password doesn't exist" error: that password was likely viewed by someone else, the recipient needs to tell you to generate a new password and send them a new temporal.pw URL.
- If they see an "Invalid password URL" error: the URL they're attempting to view isn't the exact URL that you generated for them.
How it works:
- The unencrypted password is NEVER sent anywhere.
- The password encryption key is generated by your browser and is NEVER sent anywhere.
- The browser generates a random 128 bit AES encryption/decryption key, encrypts the password with it, sends (only) the encrypted version of the password to the server (so that the URL can be rendered useless after viewing the password once, and the URL doesn't expose the password to brute force attack), and then the browser builds a unique temporary secure URL that contains the ID of the encrypted password plus the decryption key.
- The password encryption/decryption key only exists in the 'fragment' part of the URL (after the '#' hash symbol) and is never sent to the server.
- The encrypted password is only sent to the server so that the unique temporary secure URL can be rendered useless after it has been viewed once or it has expired. (the encrypted password is sent instead of the key so that the password can't be brute forced out of the URL, and so that the URL is a fixed short length independent of the password size)
- The encrypted password cannot be decrypted without the decryption key thats in the unique temporary secure URL.
- All key generation, encryption, and decryption is 100% done in the browser using common public cryptographic libraries (AES-JS).
- The encrypted password is deleted from the server after it expires, or immediately after being viewed a single time by someone who has the unique temporary secure URL.
- Each password is only viewable a single time so that the intended recipient will NOT be able to view the password if someone else has intercepted and viewed it first.
- Optionally, you can choose to tell the server to only allow a password to be viewed from your same IP address (useful for sending passwords to someone in the same office / network).
Send another password | Source