Secure Sharing
In today’s digital world, the way we share passwords and sensitive files is just as important as how we protect them. Unfortunately, too many people still rely on email, chat, or even screenshots to transmit credentials—methods that are not only outdated, but dangerously insecure.
Imagine sending a password through email. If someone gains access to that inbox weeks or even months later, the secret is still there, waiting. This is exactly why temporary links—with built-in expiration and one-time view limits—are becoming the new standard for secure sharing.
🚫 If the link is gone, so is the risk
When a password or file is shared through a time-limited, view-restricted link, the risk of leakage drops dramatically. Even if an attacker gains access to the message or the link, it’s worthless once expired. That’s the key.
For example, a link that expires in 24 hours and allows only one view means:
- If someone clicks it after that window, it’s gone.
- If they try to access it a second time, it’s already been deleted.
This principle of "disposable access" is a simple but powerful way to drastically reduce the attack surface.
🧠 Smart servers, secure design
Modern solutions like Password Pusher (pwpush) are designed around this concept. Once a password is viewed or the time limit is reached, the record is automatically purged from the database. No need for manual cleanup, and no trace left behind.
It’s a zero-trust approach—assume that someone could get the link, and make it useless after a certain condition.
🗂 What about file sharing?
While pwpush offers a great free service for password sharing, file sharing is a different story. The hosted version does not include file uploads unless you pay for it. That’s one of the reasons why I decided to self-host my own pwpush instance.
Self-hosting lets me:
- Enable file uploads with the same time/view limits
- Control the data and the server directly
- Extend or customize the service to fit my needs
Of course, pwpush isn’t the only tool out there—there are other platforms with similar features—but it’s one of the most lightweight, open, and easy to deploy.
My Docker compose
Here my personal docker compose.
services:
db:
image: mariadb:11.4
ports:
- "3306:3306"
environment:
MARIADB_USER: ${MARIADB_USER}
MARIADB_PASSWORD: ${MARIADB_PASSWORD}
MARIADB_DATABASE: ${DB}
MARIADB_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- /docker/pwpush/mariadb-data:/var/lib/mysql
restart: unless-stopped
pwpush:
image: docker.io/pglombardo/pwpush:latest
dns:
- 8.8.8.8
- 1.1.1.1
environment:
PWP__BRAND__TITLE: 'PwPush - Hosted by Miliotop'
PWP__BRAND__TAGLINE: 'Security First'
PWP__PW__EXPIRE_AFTER_DAYS_DEFAULT: "5"
PWP__PW__EXPIRE_AFTER_VIEWS_DEFAULT: "2"
PWP__PW__EXPIRE_AFTER_VIEWS_MIN: "2"
PWP__PW__RETRIEVAL_STEP_DEFAULT: "true"
PWP__ENABLE_LOGINS: 'true'
PWP__ENABLE_FILE_PUSHES: 'true'
# STORAGE
PWP__FILES__STORAGE: 'local'
# MAIL CONFIG
PWP__MAIL__SMTP_ADDRESS: ${SMTP_ADDRESS} # ok
PWP__MAIL__SMTP_PORT: ${PORT} # ok
PWP__MAIL__SMTP_AUTHENTICATION: 'plain' # ok
PWP__MAIL__SMTP_USER_NAME: ${MAIL} # ok
PWP__MAIL__SMTP_PASSWORD: ${PASSWORD} # ok
PWP__MAIL__SMTP_ENABLE_STARTTLS_AUTO: 'true' # ok
PWP__MAIL__MAILER_SENDER: ${MAILER_SENDER} # ok
PWP__MAIL__OPEN_TIMEOUT: ${TIMEOUT}
PWP__MAIL__READ_TIMEOUT: ${TIMEOUT}
PWP__MAIL__RAISE_DELIVERY_ERRORS: 'true' # ok
PWP__HOST_DOMAIN: ${HOST_DOMAIN} # ok
PWP__MAIL__PROTOCOL: 'https' # ok
PWP__DISABLE_SIGNUPS: 'true' # ok
PWP__TIMEZONE: ${TZ}
DATABASE_URL: 'mysql2://pwpush_user:pwpush_passwd@db:3306/pwpush_db'
ports:
- "5100:5100"
depends_on:
- db
links:
- db:mysql
volumes:
- /docker/pwpush/data:/opt/PasswordPusher/storage:rw
restart: unless-stopped
🔒 Final Thoughts
Secure sharing is not a luxury—it's a necessity. As phishing, credential stuffing, and insider threats grow, we need to evolve how we transmit sensitive data.
Expiring links aren’t just “nice to have”—they’re a practical, low-cost way to reduce risk and keep control over your secrets.
If you're still sending passwords in plain text... maybe it’s time to rethink that.