How to share a WiFi password securely
Without texting it to the group chat.
The problem
Someone asks for the WiFi password at the Airbnb. You text it to the group. Now it's in the group chat forever. When the stay is over and the next guest arrives, the old guests still have the password in their messages. Nobody changes it, because it's a hassle to update the password on every device in the house.
Same thing at a coworking space, a client's office, a conference room. Someone asks, you text it or write it on a whiteboard, and now it's wherever you put it.
Why it matters
A WiFi password gives someone access to your network. Anyone on your network can see the other devices connected to it. On an unsegmented home or small office network, that means your printer, your NAS, your smart devices. A guest who had the password last month can park outside and connect.
The password itself isn't the risk. The risk is that it stays accessible long after anyone needed it.
How to share a WiFi password with Secret.Broker
1 Go to the tool and paste the WiFi password. Your browser encrypts it before sending anything to the server.
2 Set the view limit. One person, set it to 1. A group of four guests, set it to 4. Choose a short expiry. A few hours is usually plenty.
3 Copy the link and send it over text, email, or whatever you use. The decryption key is in the URL fragment, the part after the #. That part never reaches the server.
4 They open the link, copy the password, connect to the network. The encrypted data is deleted. The link in the chat now points to nothing.
For Airbnb hosts and short-term rentals
Create a new link for each guest or each booking. Set the view limit to match the number of guests and the expiry to the length of the stay. When the stay ends, the link is already dead. If you rotate the WiFi password between bookings, the old link is doubly useless.
You can include the network name in the secret too. One link, network name and password, opened once, gone.
For offices and coworking spaces
Guest WiFi credentials change. Someone visits the office, you send them the password, and a month later the credentials rotate. The old text message still has the old password. With a self-destructing link, what's left in their messages is a dead URL.
If your guest network rotates on a schedule, create a fresh link each time someone asks. The overhead is about 30 seconds.
What the encryption does
Your browser encrypts the password on your device before it goes anywhere. The server stores ciphertext it can't read. The protocol page covers the full details: XChaCha20-Poly1305 encryption and why I never have the key.