Skip to main content

Blog

How to share a password securely over WhatsApp (or anywhere else)

·By 1use.lol team

You need to send a Wi-Fi password, an admin login, or an API key to a teammate. WhatsApp, Telegram, email, or Slack DM — pick your poison. All four have the same problem: once you hit send, the credential lives in their chat history forever. Their phone gets stolen, their account gets compromised, they export the chat to OneDrive — and now your secret is on three more devices than you intended.

The three options people actually use

Most teams settle on one of these:

  1. Paste it in chat anyway. Fast. Insecure. Lives forever.
  2. Use a password manager. Secure, but requires the recipient to already have the same manager — which often defeats the point if you're onboarding them.
  3. Send a one-time link. The link works once; the credential is gone after the recipient reads it. No prerequisite tool to install.

Option 3 is the right answer for ad-hoc sharing, and it's what tools like OneTimeSecret, PrivateBin, and 1use.lol exist for.

Quick guide using 1use.lol

  1. Open 1use.lol and paste the credential URL (or the credential itself wrapped in a doc).
  2. Pick an expiry — 24 hours is usually enough.
  3. Optionally add a passphrase. Send the passphrase via a different channel (voice note, in person) so an attacker who steals the link can't open it.
  4. Copy the short URL and paste it into WhatsApp.
  5. Once your teammate opens it, the destination is wiped. WhatsApp now stores only a dead URL.

Out-of-band channel matters

A one-time link with a passphrase is much safer than either alone. If a phisher intercepts the link in WhatsApp, they can't open it without the passphrase. If they intercept the passphrase but not the link, same story. Send each piece on a different channel — the link in WhatsApp, the passphrase in a voice call or in person.

What about screenshots?

One-time links can't stop a determined recipient from screenshotting the destination. If you're sharing a one-off credential, that's usually fine — rotate it after they've done what they need. If you're sharing a photo, 1use.lol auto-destructs the image after 5 seconds and tiles a watermark across it, but no tool can survive a phone camera pointed at the screen. Design around that limit.

When NOT to use a one-time link

  • You need the recipient to refer back to the secret later — use a password manager instead
  • You're sharing with a group — each person needs their own one-time code (bulk codes solve this)
  • The recipient is a service, not a human — issue an API key instead

Try 1use.lol free

Five one-time shares per month, no card required.

Start free