How to send a password securely

Never send a password in plain text through email, SMS or a chat app. Generate an encrypted, single-use link instead: the recipient opens it once to read the secret, and the content is wiped afterward. It's the only way to hand over a credential without leaving a copy sitting in an inbox, a chat history or a server log. With Pli Scellé, that link takes a few seconds to create, with nothing to install.

An email rarely travels protected end to end. Its content moves through and gets copied in several places: your Sent folder, the outgoing server, relay servers, the recipient's mailbox, sometimes a backup. France's data protection authority (CNIL) is clear: unsecured transmission does not protect against interception, and it recommends encrypting personal data before sending it over messaging. The internet gives no guarantee about a message's path, and an attacker can intercept what flows between two correspondents.

The password also stays readable for as long as the message exists. Six months later, it's still sitting in a thread. Anyone who reaches either account picks it up, effortlessly. SMS is no better: it passes through the carrier, shows in plain text on the lock screen, and lingers in the phone's history.

Team chat tools add their own trap. Slack and its peers keep messages on their servers, and a secret that lands there spreads fast: it gets copied, forwarded, downloaded, indexed in search. There's even a known case of a Slack app logging credentials in plain text. A password pasted into a channel becomes data you no longer control.

1. Open Pli Scellé and choose secret sharing (password or text).

2. Paste the password. Set the link's lifetime: a short expiry, or a single view that closes access on first read.

3. Turn on zero-knowledge mode for the strongest option: the decryption key stays in your browser and never touches our servers.

4. Copy the link and send it through your usual channel. The link does not carry the secret in plain text; without it, and once it's been consumed, there's nothing left to read.

One detail that matters: send the link and any protection password over two separate channels. The link by email, the code by phone, for instance. If one channel leaks, the secret still holds.

The secret is encrypted before it's stored. In zero-knowledge mode, the key stays on the client side: we cannot read what you share, even if asked to. When a secret is protected by a password, the key is derived with PBKDF2-SHA-256 over 600,000 iterations, and encryption uses AES-256-GCM. In plain terms: brute-forcing that password is computationally expensive, and the encrypted content can't be read without the right key.

The link is ephemeral by design. You set an expiry (from 1 hour to 30 days depending on the plan) or a view count. Once the threshold is reached, the content is purged. No copy remains on our side.

Hosting is in France, operated by SHPV FRANCE SAS. No tracking. Anonymous sharing is available, with no account, valid for 24 hours and read once. And to receive a secret from someone else, receive links make the trip back just as safely.

Give a contractor access without scattering the password through a long thread. Hand a server login or an API key to a colleague. Pass a code to a client during a job. Send a Wi-Fi password, account credentials, a config secret. Every time, the logic is the same: the secret lives just long enough to be read, then it’s gone, instead of piling up in inboxes nobody ever clears.