from Hacker News

Show HN: Temp.pw

by ca98am79 on 4/10/25, 12:40 PM with 41 comments

  • by TimTheTinker on 4/10/25, 3:47 PM

    This is so, utterly, unspeakably, NOT a good idea to use.

    You're trusting a third-party server with the plaintext of an actual secret. This violates nearly every principle of good modern security.

    If the author had somehow built and documented (and proved) a true zero-trust model that enables this kind of interaction, then that might be cool. But that is not this. For all we know, the author (or an insider threat working at AWS) is collecting these passwords into a database for crackers to try first before proceeding to cracking password hashes.

    There are so many other ways to do this. E2E encrypted messaging with disappearing messages (Signal) is the bare minimum. Keybase messages (also E2EE) are also a semi-decent option. 1Password password sharing is a decent usability step up from those. For all three of these options, barring a compromise of the (carefully guarded) process for shipping frontend code to users, the security design guarantees no visibility to a third party, and they have white papers that go into great depth to explain why.

  • by ziddoap on 4/10/25, 3:01 PM

    This is pretty light on features and details.

    When the use case comes up, I like to use https://github.com/pglombardo/PasswordPusher (online version here https://pwpush.com/). Which has generation, customizable # of visits, and a handful of other features.

  • by a3w on 4/10/25, 2:57 PM

    Why is the Share button greyed out, but clickable? Did you vibe code this? (Those are two distinct questions, but yes, I was low-balling the effort that went into this web app.)

  • by dgrin91 on 4/10/25, 3:32 PM

    A fun side project I guess, but I would never trust this for anything. Why would I use this instead of an actual password manager that has password sharing functionality? That also would not save a pw in chat history and has the added benefits on real security and not being some random site.

  • by yawndex on 4/10/25, 3:04 PM

    Why does the "share" button upload the password to your server in plaintext?

  • by esafak on 4/10/25, 3:05 PM

    I just use my password manager.

    https://support.1password.com/share-items/

  • by Minor49er on 4/10/25, 12:48 PM

    This generates a random password that can be shared via a one-time link. Why? What is the situation where this would be used?

  • by thom on 4/10/25, 3:02 PM

    Nice try, Satan.

  • by motohagiography on 4/10/25, 3:21 PM

    solves a common problem. assuming there's a real crng generating them, the links expire in a short window, they aren't logged, and the hashes aren't computed for a commercial rainbow table, what are the specific security objections to this?

    its like a vault secret without the authn friction.

  • by new_user_final on 4/10/25, 3:24 PM

    Feedback: Input box gives zero clue that it is editable. Share button looks disabled button.

  • by qntmfred on 4/10/25, 3:11 PM

    nice work. i've used https://onetimesecret.com/ for this kind of thing for several years

  • by eigenvalue on 4/10/25, 2:02 PM

    Honeypot?

  • by matrixhelix on 4/10/25, 3:14 PM

    openssl rand -base64 12