At pluscloud, we deeply care about security, and we encourage our customers to only securely share information. Our team securely saves authentication in encrypted vaults once they are stored at pluscloud. To minimize scenarios of passwords being intercepted during the exchange, our team is using OneTimeSecret.com.
Passwords, API keys and other authentication details are shared as a so-called 'secret' on OneTimeSecret.com. The application is a simple and secure way to share sensitive information and prevents this information is stored on your email server, chat application or other location where it persists for a longer period. When using OneTimeSecret.com the 'secret' is available for a limited amount of time and is destroyed right away when it's opened once. While the link might remain persists in conversations, the content of the secret will be gone.
OneTimeSecret.com also has more information available on the website to explain more about the security, and the source code is publicly available for anyone on GitHub to review.
Overview
Receiving secrets
When you receive a OneTimeSecret.com link from our team, you can open it in your web browser.
- Click to view the 'secret' we are sharing with you. In case the 'secret' requires a passphrase you will be prompted for this too.
- The 'secret' will be shown once and destroyed automatically.
In case the secret is already shown, the user will receive the following message: 'Unknown Secret - It either never existed or has already been viewed'.
Sending secrets
- Enter your 'secret' in the text field, this can be the password, API key or other authentication detail you are trying to share with us. We recommend not to include any reference to a username if you are sharing a username and password combination with us.
- To add another (optional) layer of security, it's optional to add a passphrase that is required to open your 'secret'. This will encrypt your 'secret' and store the passphrase as a bcrypted hash, so only if you share the passphrase it can be decrypted.
- You can set the lifetime of your 'secret'. When sharing this with our team keep in mind a lifetime that is too short prevents us from receiving your 'secret' before it's destroyed.
- Once finished, press the 'Create a secret link' to proceed.
- If you just want to quickly generate a password, you can also skip all steps before and click 'Or generate a random password' and OneTimeSecret.com will automatically generate a secure password for you and show it once to you before you share the link.
After creating your 'secret' you will be taken to a confirmation page with the following information.
- The link that can be shared with our team.
- Your 'secret', in case you choose to generate a random password, this will be shown here for your reference. When using a passphrase, this field will show 'This message is encrypted with your passphrase' and not show your secret.
- The date and time when your 'secret' will expire.
- In case you made any mistake, and you want to destroy the secret yourself, you can click 'Burn this secret' to destroy your 'secret'.
Best practice when sharing a link to a secret
When sharing a secret, we recommend to keep username and password a part from each other and not include both in the secret. It's recommended to only put the password or API key in the secret and share this information in the following structure:
Username and password
Username: someone@example.com
Password: https://onetimesecret.com/secret/397rosam041tsvt4azmv0tth3evs6x2
API credentials
Client ID: ZYDPLLBWSK3MVQJSIYHB1OR2JXCY0X2C5UJ2QAR2MAAIT5Q
Client Secret: https://onetimesecret.com/secret/397rosam041tsvt4azmv0tth3evs6x2
When using any passphrase, make sure to include this in your message when sharing the link.