I thought this would be simple, but how do you safely share passwords with normal users online. Services like 1Password require that you create a guest user with a vault. I'd like to use something that is SOC2 compliant. And it seems like if I wanted to use something like OneTimeSecret https://github.com/onetimesecret/onetimesecret I'd have to host it myself to be sure it was safe. What do you guys use?
I'm not sure about SOC2 compliance, but I'd be surprised if it's compliant for you to be generating user's passwords for them. Users should be the only person to know their password.<p>You could email out a password that only allows the user to change their password, nothing else. Their account won't be accessible until they choose and set their own password. If the initial password is intercepted it doesn't matter (probably, depends on your app) because the account won't have any user data in it yet.
Bitwarden [0] released a product called Bitwarden Send [1] a couple months ago. Basically, this product helps you to send sensitive information directly to anyone. The information is encrypted end-to-end. Beside that, you can specify expiry time, deletion date, and a password to open your information. It fits with your use case.<p>[0]: <a href="https://bitwarden.com" rel="nofollow">https://bitwarden.com</a><p>[1]: <a href="https://bitwarden.com/products/send/" rel="nofollow">https://bitwarden.com/products/send/</a>
I've used Privnote[0] to easily and quickly send self-destructing text-only notes with sensitive information to users both technical and not. Their privacy policy[1] explains how the information is kept safe.<p>[0]: <a href="https://privnote.com" rel="nofollow">https://privnote.com</a>
[1]: <a href="https://privnote.com/info/privacy" rel="nofollow">https://privnote.com/info/privacy</a>