Hi all,

I built a tool for securely sharing credentials instead of pasting them into chat, email, or tickets. I’d like technical feedback on the threat model, protocol, and cryptography.

Key properties:

• Encryption happens entirely in the browser using AES-256-GCM
• PBKDF2 key derivation (250,000 iterations) — the server never sees the plaintext or keys
• One-time secrets are enforced server-side and deleted atomically on first view
• Delete token (# fragment) enables early destruction
• Client-side crypto code is public for review ([GitHub link])

What I’m NOT claiming:

• Protection against compromised endpoints or devices
• Anonymity or protection against state-level actors

Live app: https://sharemylogin.com

I’d love:

• Threat model review
• Protocol-level issues
• Any edge cases I may have missed

Thanks in advance!