Software

Is there a safe way to send passwords? Yes, Bitwarden Send

March 15, 2021
5 Min Read
Woman at computer
What's the password? Find out how to send them securely (photo: Bruce Mars)

We’ve talked before about how sending passwords via email is not a smart idea. To recap: email is unencrypted and easy to break into, meaning if someone gets into your email account they’ll likely find any passwords sent via email too.

The service I mentioned in that previous article – Google’s Confidential Mode – made sending passwords via email safer, but it was far from perfect. A new update to my favourite password manager, Bitwarden, is much better.

This truly is a safe way to send passwords. Or, at least, the safest method I’ve seen yet.

Bitwarden Send: how does it work?

If you’re not familiar with Bitwarden, you can read my 2019 review of the password manager here. In short, it’s a free, open-source password manager that works with pretty much any device you can think of.

It does have a premium offering (costing a modest $10 per year), but you don’t need to pay to get all the key password manager features. Nor do you need to pay to take advantage of the new feature that’s been added, called Bitwarden Send, which allows you to securely send passwords to colleagues, friends, family or anyone else.

It works like this. The Bitwarden app (either desktop or mobile) or browser plugin (all major browsers) now has a Send button. The screengrabs you will see here are from the Mac app, but they are all much of a muchness.

To send details such as a password to someone, you press Send and then press the + button, where you will be presented with a screen like this:

Bitwarden send

You’ll see here there are two options to send either a file or text. The option to send a file is only available to premium users, but anyone can send a password in text, which is the option you should select here.

You start by giving the ‘Send’ a name, such as ‘Twitter password’. In the text box that appears when you select ‘Text’ from the screen above, enter the password you wish to send, as below:

BitWarden Send

If you click on the Options link you see at the bottom of the window, you will uncover a few further features. These allow you to set a:

  • Deletion date – a period of time ranging from 1 hour to 30 days, upon which the message will be deleted and after which the recipient won’t be able to retrieve the message
  • Expiration date – this is the same as above, in that you can set an expiration date ranging between 1 hour and 30 days. The key difference between deletion and expiration is that expiration only prevents recipients from seeing the message after the expiry date – it will still be available in your Bitwarden account. So, if you still need access to the nuclear codes, they will be there!
  • Maximum access count – this limits the number of times the secure message can be opened. So, if you want the message to basically self-destruct after someone has seen it once, set this to 1.
  • Password – if you want someone to enter a password before they can look at your secure message, you’ll need to enter this here. Obviously, don’t share that password in the same as email as the link to the secure message you’ll send shortly. You might, for example, set a password and then ring the message recipient and tell them the password, adding another layer of security.

Once you’ve done as many of the above as you need to, tick the box at the bottom of the screen that says ‘Copy the link to share this Send to my clipboard upon save’, as shown below, and hit the Save icon, which looks like a floppy disk.

Bitwarden send

Once you’ve done this, you should see a message appear saying it’s been saved to your clipboard. Now you can paste that link (using Ctrl + V on a PC, Command + V on a Mac, or by holding your finger down in a text field on a smartphone and pressing ‘paste’) into whichever messaging app you wish.

You can send that link via email, via a messaging service such as WhatsApp or Slack, or even by SMS text message to someone’s smartphone.

If you’re going to use email, I strongly recommend you don’t use the word ‘password’ anywhere in the subject line or email itself, as if anyone does break into your inbox, that will be one of the first keywords they search for.

When the recipient clicks on the link you send them (and enters any password you may have set), they should see something like this in their web browser:

Bitwarden send recipient message

As you can see, it tells them from which account the message was sent. It also allows them to press the ‘copy value’ link to save the password to their own clipboard, so there’s no risk of them mistyping a long, jumbled password such as this.

Tips on using Bitwarden Send

  • Make sure you set a deletion or expiry date, ideally at the shorter end of the timescale, as this will ensure someone can’t stumble over the link if, say, the recipient’s email is hacked
  • Sends have a default lifespan of seven days, so they will be automatically deleted after a week unless you stipulate otherwise
  • Setting a password and then ringing the recipient with that password is probably the most secure way of using this service
  • You can manually delete any ‘Send’ you’ve created from the Bitwarden app, if there’s any concern that someone might intercept your Send link
  • Sends are sent using end-to-end AES-256 bit encryption, which basically means it’s near impossible for anyone to crack them in transit
  • Be very careful after you’ve copied a Send link to your clipboard, as it will remain in your clipboard even after you’ve pasted it. If you then press ‘paste’ in another app, you could send that secure link to someone else
Tags

About the author

View All Posts

Barry Collins

Barry has scribbled about tech for almost 20 years for The Sunday Times, PC Pro, WebUser, Which? and many others. He was once Deputy Editor of Mail Online and remains in therapy to this day. Email Barry at barry@bigtechquestion.com.

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.