I don't get it. What is this for?
PasswordPusher exists as a better alternative to emailing passwords.
Emailing passwords is inherently insecure. The greatest risks include:
- Emailed passwords are usually sent with context to what they go to or can potentially be derived from email username, domain etc...
- Email is inherently insecure and can be intercepted at multiple points by malicious entitities.
- Emailed passwords live in perpetuity (read: forever) in email archives
- Passwords in email can be retrieved and used later on if an email account is stolen, cracked etc..
By using PasswordPusher, you bypass all of this. For each password posted, a unique URL is generated that only you will know. Additionally, passwords expire after a predefined set of views are hit or time passed. Once expired, passwords are unequivocally deleted.
I don't trust you. Why should I use PasswordPusher?
And rightfully so. All good security begins with healthy skepticism of all involved components.
PasswordPusher exists as a better alternative to emailing passwords. It avoids having passwords exist in email archives in perpetuity. It does not exist as a end-all security solution.
Passwords are completely deleted once they expire. Additionally, random URL tokens are generated on the fly and passwords are posted without context (what they go to).
And for the truly paranoid, there is no way I can reliably prove that the opensource code is the same that runs on pwpush.com (this is true for all sites in reality). The only thing I can provide in this respect is my public reputation: Github, Reddit, and Twitter. If this is a concern to you, feel free to review the code, post any questions that you may have and consider running it internally at your organization instead.
Could you add X feature?
I love to hear all feedback. If you have any ideas or suggestions, please submit them to the Github repository.
How do you make money?
I don't. This is just a pet project I work on in my spare time built for the community. Monthly costs are $17/month for Heroku hosting and any time/effort that I've put in or will put in developing the tool is voluntary/donated.
I've thought about moving the site to a Digital Ocean droplet but Heroku just makes it so easy. No configuring Apache/nginx, deploy scripts, monitoring services etc... But in all honesty, that $20/month just for SSL is kind of aggrevating.