What is a One-Time Secret?

Since One-Time Secret's launch in 2012, many similar apps and services have sprung up using the company's open-source code. Created by developer Delano, One-Time Secret is a secure way to share sensitive information.

One of the biggest challenges (for companies and individuals) is sharing passwords securely. Many people use email, spreadsheets, or messaging apps to share passwords. The problem with these methods is that they're easily copied or shared—you have no control over who has access to your credentials!

One-Time Secret is an answer to this password-sharing challenge. But does One-Time Secret actually solve the issue? Or, is it a good alternative for a password manager?

We'll explore One-Time Secret in this article and look at the best way to share passwords using a secure password manager.

TeamPassword is a password manager built to share credentials with coworkers safely. Sign up for a 14-day free trial today.

‏‏‎ ‎

What is a One-Time Secret, and how does it work?

One-Time Secret is a tool to share passwords and sensitive notes. Instead of sending a password over email, text, or a messaging app, you use One-Time Secret and send a link and a password to open the message instead.

When the recipient visits the link address, they have to enter the password, and the information you shared appears on-screen for them to read. The link will only work one time before it disappears forever.

You can also set a time limit for the One-Time Secret to "self-destruct," even if the recipient doesn't read it. Times range from five minutes to several days. 

Here is an example:

  1. Someone in accounts needs to share the company's bank account credentials. They don't want to send them over text or email. 
  2. So, they create a One-Time Secret message with the bank account's credentials and a one-time password to open the message. Because this is highly sensitive information, the sender also sets the One-Time Secret to self-destruct in 1 hour.
  3. They send the One-Time Secret link to the recipient's company email address. They may share the one-time password over the phone or another medium to prevent someone from intercepting the One-Time Secret message.
  4. The recipient opens the link, enters the password, and the bank account credentials appear on the screen.
  5. The recipient copies the bank account credentials somewhere safe and closes the browser, simultaneously deleting the One-Time Secret message.
  6. If the recipient (or anyone else) clicks the link again, an error message appears saying: "Unknown secret. It either never existed or has already been viewed."

If the sender changes their mind, they can "burn the secret," but only before the recipient views it.

‏‏‎ ‎

Where Do You Manage One-Time Secrets?

onetimesecret.com is the original One-Time Secret application. But, since the code is open-source, several similar websites are offering the same service.

Most One-Time Secret apps are free, while others limit the number of free One-Time Secrets before moving to a paid plan.

One-Time Secret apps feature a basic text field for entering your data, but some offer a WYSIWYG editor to create tables, lists, insert documents, and more.

What Kind of Information Do You Share in a One-Time Secret?

People use One-Time Secrets to send all sorts of data. Here is a list of common information sent via One-Time Secret:

  • Sharing passwords
  • Credit card details
  • API keys
  • Sensitive code or algorithms
  • Sharing sensitive, untraceable notes

Some One-Time Secret apps allow you to share documents and images. The problem with these documents is that they're traceable through stored metadata, defeating the purpose of an anonymous One-Time Secret!

‏‏‎ ‎

Is a One-Time Secret a Good Password Manager Alternative?

The short answer is no—a One-Time Secret is not a good password manager alternative. 

  1. One-Time Secret doesn't solve the problem of password sharing. You're still sharing raw credentials over a messaging service. You don't know where the recipient will save the password or who might see it!
  2. If you're sharing passwords with team members, then One-Time Secret is extremely inefficient and insecure. Creating a One-Time Secret every time you need to send a password is time-consuming. After you've shared the credentials a few times, the passwords end up saved in browsers, written on pieces of paper, or saved in digital notes. You may as well have sent them over email!
  3. If you share passwords with freelancers, using a One-Time Secret is no better than email or text messaging. When the freelancer leaves, they still have access to those accounts. You have to change your passwords and then share these new credentials with the rest of the team.

‏‏‎ ‎

How is a Password Manager Different from One-Time Secret?

One-Time Secret is a messaging service rather than a password manager. You can't store and recall passwords with One-Time Secret, whereas with a password manager, you can.

With TeamPassword, you have complete control over who uses your passwords, and you can track their activity. Once you share a password using One-Time Secret, you don't know where those credentials go or who uses them!

One-Time Secret doesn't prevent weak passwords or reusing the same credentials for multiple accounts. TeamPassword features a built-in secure password generator, allowing you to create unique, secure passwords for every account login!

‏‏‎ ‎

Common Password Vulnerabilities for Companies

Even with the increase in cyberattacks, the multitude of password tools, and endless media warnings, many companies still allow poor password management practices.

We always encourage companies to try TeamPassword's 14-day free trial to experience how you can share credentials securely.

Here is a recap of an article we wrote earlier in 2021, Top Five Mistakes When Sharing Passwords with Your Team.

Mistake 1 - Weak Passwords

Weak passwords are a significant issue. P@$$w0rd123 might look complex, but it's no different from using password123. Hackers often run these obvious passwords first during brute-force attacks—where criminals try to guess your password.

Many people believe that just replacing letters with symbols is enough to create a strong password. While this does offer some security, it's still easy to guess!

Agencies that manage multiple client accounts should also avoid using the client's name in a password. For example, clientnameIn$t@gr@m for a client's Instagram account might look secure with symbols, but hackers know to expect these changes.

Companies should create robust (12 character minimum) passwords using a random set of characters (including uppercase, lowercase, numbers, and symbols).

TeamPassword features a built-in password generator, so you never have to worry about weak passwords again!

Mistake 2 - Storing Passwords in Plaintext

Storing passwords in plaintext (and yes, this includes storing passwords in your browser and sending credentials over One-Time Secret) means anyone can view, use, or share your company's credentials.

Agencies often manage hundreds of accounts for clients—using spreadsheets to store and share credentials. Anyone can copy a spreadsheet and share it without your knowledge. 

Plaintext password storage is extremely negligent, and in some states or countries, could violate regulations, leading to prosecution or fines.

TeamPassword's password manager is an accredited secure hosting provider. There's also no way to preview passwords, so you never have to worry about exposing your company or client's credentials.

Mistake 3 - Reusing Passwords

Like weak passwords, reusing credentials creates another significant cybersecurity vulnerability.

Attackers often use passwords stolen from one data breach to try accessing other accounts and applications in a process called credential stuffing.

If your company reuses the same password for multiple accounts, attackers only have to steal one set of credentials, and they have access to all the other accounts!

TeamPassword's built-in password manager ensures your team creates unique passwords for every account! You can choose between 12-32 characters using uppercase, lowercase, symbols, and numbers.

Mistake 4 - Using the "Remember Me" Feature

Many websites and applications have a "Remember me" feature with a checkbox. Sometimes there's a period "Keep me logged in for 14 days."

The problem with this remember me feature is that if someone steals an employee's device, the criminal can use their browser history to find your company's accounts and log in.

The same issue applies to saving passwords in the browser. If someone steals an employee's browser credentials, they have access to all the saved passwords too!

With TeamPassword, all of your credentials are encrypted and stored securely. Employees use a browser extension (Safari, Chrome, Firefox) to sign in, so your passwords never leave TeamPassword. Two-factor authentication (2FA) creates a second authentication step, preventing a full breach, even if someone steals an employee's TeamPassword credentials.

Mistake 5 - Changing Passwords

Companies often try to change passwords frequently as a security measure. The problem is that employees often end up reusing passwords over time or swap passwords across accounts.

If you're not using a password manager, it can be challenging to keep track of changes, with employees constantly sharing credentials—exposing many cybersecurity vulnerabilities!

With TeamPassword, you can update passwords regularly and not even have to tell employees. The password manager updates the credentials for all users, so work continues as usual.

‏‏‎ ‎

Try a Password Manager for 14 Days

If you're looking for a better way to share passwords with team members, forget sharing passwords with One-Time Secret and other non-secure methods.

Sign up for a 14-day free trial and experience the ease and security of sharing passwords with TeamPassword!