Why would I should I use Cloak?
You only want to share passwords with people you trust, and to minimize any risk when you do. When you send people passwords via email or chat, there are copies of that information stored in places you would not want them to be stored. If you use a one-time link, the information only persists for a single viewing. This means it can't be read by someone else later. This allows you to send sensitive information knowing it's seen by one person. Think of it like a 💣 self-destructing message to keep passwords or other sensitive secrets safe.
What are examples of account and password information that people share?
There are several situations when people share account information, including passwords:
- Sharing Netflix, iTunes or Hulu account information
- Passwords for encrypted zip files
- Login details for email
- Account information for social sites like Twitter, Facebook and Instagram
- Connection secrets, tokens and keys
- Sharing login information for media, advertising or marketing services like Mailchimp, Salesforce or Google AdWords.
- Ordering through shared shopping accounts like Amazon Prime
- Private certificates
- WiFi access keys and passwords
Why is sharing passwords or other sensitive information via email a bad idea?
Using e-mail for transporting any sensitive information is insecure because once the e-mail has left your organization, you've instantly lost any control you may have had over it. This creates a few different problems;
- Sensitive infromation often sits in a users inbox. If account is compromised any e-mail with sensitive information is available to the hacker
- A receiving user can forward the e-mail to parties that should not receive that information
- There is increased surface area for exposure because there are servers that have sent the e-mails and servers that have received the e-mails
- There is no governance over retention rules or archiving practices on the receiving side. Information that should have limited lifespans can potentially live forever on a server with no archiving or deletion practices
Is sharing passwords or other sensitive information via chat a better choice?
No. Chat apps like Slack or Hipchat are great place to have team conversations, but that doesn’t mean you should treat them as secure for sensitive information. Never use these apps to to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Chat services are also available from many different devices, including those with security settings of which you can't control. For example, a user may install Slack on a personal mobile or home computer outside of company protocols. While these apps typically do a good job of security, bothSlack and Hipchat have had issues in the past. Even if Slack or Hipchat themselves are secure, there is also the risk someone leaves the door to your "chat" house unlocked.
Can I retrieve a secret that has already been shared?
No! We display it once and then delete it. After that it's gone forever.
Can delete a secret that has already been created?
Yes, there is an option to "🔥 burn" or delete your secrets. This will delete the secret forever.
How long do you keep non-viewed secrets?
We keep secrets for up to 7 days for anonymous users and up to 14 days for free accounts. After that they are deleted automatically and gone forever. The process is quick, by the time you read a secret, it's already deleted from our servers.)
What is the maximum size of a secret?
You can send a fair amount of information with Cloak! The maximum message size is 25KB for anonymous users and 50KB for account holders.
Why use a passphrase when sharing a secret?
If you include a passphrase (available under "Get even more security"), it adds an extra layer of security. We don't store the passphrase (only a 🐡 bcrypted hash). A recpient of the private link will not know what the secret is because they can't decrypt without the passphrase. Only when you share the passphrase will can it be decrypted and viewed.
How would I share a passphrase with someone?
If you include a passphrase you can create a secret link for the passphrase. For exampple, you first can the passphrase via a secret message you intend to use for your secret. Then you can create a seperate private link for the passphrase protected password. You can also reverse that order.
Can I share a secret for password protected file via Cloak?Yes! If you have shared a password protected zip file, don't share the password via chat or email. A better practice is to send the password via a different channel and in a different context. When you send the file and the password by different communication channels; one via email the other via secret link, you are increasing the surface area and complexity between the two. This makes the reconstruction of the file to password context much harder.
Do you provide a random password generator?Yes. You can use Cloak as a random password generator. It will also generate a private link for you to send to a recipient. If you don't want to use ours, make sure you are using some form of strong password generator for your secrets.
Why can't I send pictures or other kinds of files?
The challenge with sending files, images in particular, is that there's no way to absolutely guarantee it wasn't copied or shared with other people. In order to ensure that no one's private information is unknowingly shared, we decided to opt for simplicity.
But I can copy the secret text. What's the difference?
True, but all you have is text. With images and other files types, they can contain metadata and other potentially revealing information about who the sender or recipient. Again, this is simply to ensure that no private information is shared outside of the intended recipient.