Why Cloak

Why would I should I use Cloak?

You only want to share passwords with people you trust, and to minimize any risk when you do. When you send people passwords via email or chat, there are copies of that information stored in places you would not want them to be stored. If you use a one-time link, the information only persists for a single viewing. This means it can't be read by someone else later. This allows you to send sensitive information knowing it's seen by one person. Think of it like a 💣 self-destructing message to keep passwords or other sensitive secrets safe.

What are examples of account and password information that people share?

There are several situations when people share account information, including passwords:

Why is sharing passwords or other sensitive information via email a bad idea?

Using e-mail for transporting any sensitive information is insecure because once the e-mail has left your organization, you've instantly lost any control you may have had over it. This creates a few different problems;

Hacks do happen, just ask Yahoo!

Is sharing passwords or other sensitive information via chat a better choice?

No. Chat apps like Slack or Hipchat are great place to have team conversations, but that doesn’t mean you should treat them as secure for sensitive information. Never use these apps to to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Chat services are also available from many different devices, including those with security settings of which you can't control. For example, a user may install Slack on a personal mobile or home computer outside of company protocols. While these apps typically do a good job of security, bothSlack and Hipchat have had issues in the past.
Even if Slack or Hipchat themselves are secure, there is also the risk someone leaves the door to your "chat" house unlocked.

Can I retrieve a secret that has already been shared?

No! We display it once and then delete it. After that it's gone forever.

Can delete a secret that has already been created?

Yes, there is an option to "🔥 burn" or delete your secrets. This will delete the secret forever.

How long do you keep non-viewed secrets?

We keep secrets for up to 7 days for anonymous users and up to 14 days for free accounts. After that they are deleted automatically and gone forever. The process is quick, by the time you read a secret, it's already deleted from our servers.)

What is the maximum size of a secret?

You can send a fair amount of information with Cloak! The maximum message size is 25KB for anonymous users and 50KB for account holders.

Why use a passphrase when sharing a secret?

If you include a passphrase (available under "Get even more security"), it adds an extra layer of security. We don't store the passphrase (only a 🐡 bcrypted hash). A recpient of the private link will not know what the secret is because they can't decrypt without the passphrase. Only when you share the passphrase will can it be decrypted and viewed.

How would I share a passphrase with someone?

If you include a passphrase you can create a secret link for the passphrase. For exampple, you first can the passphrase via a secret message you intend to use for your secret. Then you can create a seperate private link for the passphrase protected password. You can also reverse that order.

Can I share a secret for password protected file via Cloak?

Yes! If you have shared a password protected zip file, don't share the password via chat or email. A better practice is to send the password via a different channel and in a different context. When you send the file and the password by different communication channels; one via email the other via secret link, you are increasing the surface area and complexity between the two. This makes the reconstruction of the file to password context much harder.

Do you provide a random password generator?

Yes. You can use Cloak as a random password generator. It will also generate a private link for you to send to a recipient. If you don't want to use ours, make sure you are using some form of strong password generator for your secrets.

Why can't I send pictures or other kinds of files?

The challenge with sending files, images in particular, is that there's no way to absolutely guarantee it wasn't copied or shared with other people. In order to ensure that no one's private information is unknowingly shared, we decided to opt for simplicity.

But I can copy the secret text. What's the difference?

True, but all you have is text. With images and other files types, they can contain metadata and other potentially revealing information about who the sender or recipient. Again, this is simply to ensure that no private information is shared outside of the intended recipient.

Who created Cloak?

The Openbridge team forked the code used in Cloak from an open-source project called Onetimesecret. We updated a number of core packages, Dockerized the application, added monitoring tools and restyled the user interface. The code is available for all via GitHub.