Tor: "Unable to connect". I had to try a few new Tor circuits before it loaded. I was hoping the site itself would be enough, but it asks me to install software on my phone. I'm not going to do that, basic OPSEC is installing as few apps as possible.
- Alice wants to send the password Qwerty123 to Bob. She creates a password share in Crosspass and receives a Lookup ID of YNMK and a PIN of 9038.
- (The password has not been sent to a server but remains on Alice’s phone only. She must keep her phone online for Bob to retrieve the password.)
- She emails YNMK 9038 to Bob and he enters it into his Crosspass app. His phone retrieves the password Qwerty123 from her phone, encrypted end to end.
- The password gets deleted from Alice’s phone and remains on Bob’s phone for a day.
This is a lot more complicated than using Protonmail to send an password to another Protonmail user. It uses end-to-end encryption by default without sending codes and passwords, and can set an expiration time.
You can send both the Lookup ID and PIN together. However, note that the Lookup ID is not secret, so you can make it public without any loss of privacy.
On the other hand, the one-time PIN is secret, so whoever uses it first will retrieve the shared password. (After that the PIN will stop working.) Therefore use a medium of communication to transfer the PIN that is unlikely to be intercepted and used by a rogue party before the proper party uses the PIN.
So if someone knows your Lookup ID, there's a 3 in 10,000 chance they can read your message. I wouldn't trust that for sending a credit card number, and it's much worse when dealing with Bitcoin private keys.
I can tell you when I needed to do that,
- receiving wires to my bank account
We don't wire money.
- sharing an online wallet at blockchain.info with a business partner, for arbitrage
Web wallets are not recommended, and sharing a wallet
at least doubles the risk of losing your funds.
- sharing an encrypted Cryptomator cloud drive with a business partner
If I really, really have to share something encrypted online, I'd prefer Protonmail.
- giving Netflix password to my mom
I'd just drive there and enter it.
- encrypting ZIP file with AES and sending the ZIP by Dropbox, while password by another method
Again: Protonmail. Or even a third option for sending the link.
- obtaining the password to an encrypted hard drive which was mailed after it was recovered by recovery service
Keep track of your passwords and backups instead of handing over your drives to third parties.
However, the "password" here is a euphemism for an encryption key. If I were to call the app "Transfer Encryption Key" it would suffer the same fate as PGP and Keybase. No one knows what is a key or a fingerprint, but everyone knows what is a password and understands that it requires privacy and care.
Many users don't take passwords seriously, so I don't think the name is going to help.
I can let you review the source code, provided you report back in this thread that here are no intentional backdoors or data leaks. In fact, I will pay $200 each to the first three people of Legendary status who would review the code.
If it's not going to be open source, you can always add a backdoor later.
(b) I will open source Crosspass once it gains enough installs to have market advantage over any clone.
That makes sense.
The second. You only pay once a $1 for lifetime use. This way the app is free to receive and removes a potential friction on the recipient's side.
There's a problem with this: if someone tells me to install an app to receive a code, I'll tell them to use something else. I don't even install apps from my bank.
From my perspective, I don't see a reason to use this. But then again, I'm not the average user who maybe there's a market for it.