@jc_sec, I see that you commented that you're the author of this tool. I am trying to wrap my head around why you created it, but am having a really difficult time understanding the motivation. Perhaps, it was an educational project for yourself to learn about working with crypto. If that was the case, then I applaud your learning, but encourage you to treat such projects as throw away learning experiences and not publish them. In fact, I think that this tool is actually quite dangerous and it would be irresponsible to leave it available online and encourage its use.<p>First, users should NEVER share their passwords with anyone. Ever. The entire purpose of this tool is to encourage users to share their passwords, which is the exact opposite behavior that any good security training program should be teaching users. Any reason that someone offers to justify the sharing of a password is simply a shortcoming in a specific piece of software supporting business needs. Ironically, Troy Hunt had an article this week about password sharing, which covers the topic well [1][2]. I won't rehash the argument here, but do please read his post.<p>Second, the tool offers zero security benefit over sending a password via email.<p>> It's better than emailing passwords in plaintext<p>No it is not.<p>The content entered into the text box is accessible simply by visiting a link, which means that the data is not end to end encrypted. Any email containing the link is equivalent to containing the password because someone simply needs to click on the link to obtain the password. It doesn't matter which cipher you use, which library you use, where you store the keys, etc because the server running the application has the ability to read the plain text content. This tool does <i>not</i> provide end to end encryption, which is required for any reasonable password management tool.<p>> makes security more accessible to folks who dont have the time/incinlination/technical ability to set up keybase and/or estbalish PKI for sharing secrets.<p>Again, no it does not. This tool does not offer any security value, so it cannot make security more accessible to users. Users do not need to know how to setup Keybase or PKI in order to use other existing secure tools. For example, users should utilize software specifically built for managing passwords, such as LastPass [3], 1Password [4], Dashlane [5], Keeper [6], or a vetted open source alternative.<p>I know a thing or two about building end to end encryption systems based on my first hand experience as a Senior Engineer at Virtru [7], a commercially available end to end email encryption solution. I was one of the original employees and helped design the fundamental security architecture, which has been audited by respected independent third parties. You can read more about Virtru's technology on their website [8].<p>Again, I do not know whether you truly think that this tool is secure, or if you were just trying to educate yourself and develop some new skills working with crypto libraries. Please realize that this feedback is not intended to vilify, but to educate. Please consider taking this tool down and instead promoting a secure alternative to password management to anyone who asks for guidance on sharing passwords.<p>[1] <a href="https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/" rel="nofollow">https://www.troyhunt.com/the-trouble-with-politicians-sharin...</a><p>[2] <a href="https://www.troyhunt.com/weekly-update-64/" rel="nofollow">https://www.troyhunt.com/weekly-update-64/</a><p>[3] <a href="https://www.lastpass.com/" rel="nofollow">https://www.lastpass.com/</a><p>[4] <a href="https://1password.com/" rel="nofollow">https://1password.com/</a><p>[5] <a href="https://www.dashlane.com/" rel="nofollow">https://www.dashlane.com/</a><p>[6] <a href="https://keepersecurity.com/" rel="nofollow">https://keepersecurity.com/</a><p>[7] <a href="https://www.virtru.com/" rel="nofollow">https://www.virtru.com/</a><p>[8] <a href="https://www.virtru.com/client-side-encryption/" rel="nofollow">https://www.virtru.com/client-side-encryption/</a>