How to share a file with a password-protected link.

The four things that matter

When you share a file with someone, four things should be under your control:

• Who can open it. Anyone with the URL? Only someone who knows a passphrase? Only a specific email address?
• When it expires. Open forever? Until the end of the day? After one download?
• Whether you can revoke it. If you change your mind, can you cut access immediately?
• Who the recipient has to trust. You? Google? Dropbox? Some random URL-shortener?

Different tools make different trade-offs. Here are the common options and where each falls short.

Email attachment

The oldest option. Attach the file, hit send.

Pros: everyone can do it; the recipient doesn't need an account.

Cons: size limits (Gmail caps at 25 MB). No expiry — the attachment sits in the recipient's inbox forever. If you forward to the wrong person, you can't un-send. Files in transit pass through several mail servers that log metadata (and sometimes contents). For anything larger or more sensitive than a PDF receipt, email is the wrong tool.

Google Drive / Dropbox / OneDrive

Upload, "Share link", send URL.

Pros: handles large files; most recipients recognise it; you can restrict access to specific emails.

Cons: the recipient has to trust Google/Dropbox/Microsoft; they track who opened what. "Anyone with the link" is public by default — Google has historically had link-enumeration bugs. Passphrases are not a first-class feature on these platforms, so you end up emailing the recipient a separate "the password is…" message, which defeats the point. Expiry dates are a paid feature on Drive.

WeTransfer

Drag, drop, email the link.

Pros: dead simple; handles large files; automatic 7-day expiry on the free tier.

Cons: the free tier can't passphrase-protect links (paid feature). Files are stored on WeTransfer's servers in EU-mixed jurisdictions. You can't revoke early. If you miss the email window, the link just dies without warning.

Signal / Telegram / iMessage

End-to-end encrypted messaging apps can send files directly.

Pros: genuinely encrypted; no link to leak; no server storing the file long-term.

Cons: the recipient has to be on the same platform; file size limits vary; no passphrase layer on top of E2E (it's either "you have this Signal account" or "you don't"); files you sent stay on the recipient's device even if you delete for everyone.

Firefox Send (discontinued)

Firefox Send was the gold standard: end-to-end encrypted, passphrase- optional, auto-expiring, revocable. Mozilla shut it down in 2020 after it was abused for malware distribution. A few forks exist but none are as polished.

The approach that actually meets all four criteria

A self-hostable tool that creates signed share URLs with all four controls (access, expiry, revocation, trust) first-class. MoveMyWork does this, which is why we built the share feature explicitly: we needed it.

Here's what MoveMyWork's share links give you:

• Optional passphrase — set when creating the share, stored as a bcrypt hash. Not written down anywhere the server or sharer can decrypt.
• Expiry — 1 hour, 24 hours, 7 days, or 30 days. Link automatically stops working.
• View caps — limit the number of times the link can be opened (useful for "one download only" scenarios).
• Revoke anytime — one click in Settings kills any share immediately.
• Brute-force protection — 5 wrong passphrase attempts locks the share for 15 minutes. At that rate, any reasonable passphrase is uncrackable.
• Noindex headers — share URLs don't show up in search engines.
• 128 bits of random — share tokens are unguessable.

A good file share should expire when you said it would, not when it's convenient for the platform. It should revoke when you want it to. And it should keep its promises even when you forget.

Walkthrough: creating a protected share

1. Push the file into your clipboard

From the MoveMyWork dashboard, click "Upload a file" and pick the file you want to share. Or, if you have the desktop client installed, copy the file in Finder/Explorer and it'll arrive in your clipboard automatically.

2. Click Share

Each clip row has a Share button. Click it — a modal appears.

3. Set the controls

Enter a passphrase (you pick something strong; we recommend at least 12 characters). Choose an expiry — 24 hours is usually right for a colleague, 1 hour for something sensitive. Optionally cap the number of views.

4. Copy the URL

Click "Create share link" and the modal shows you the URL. Copy, send to your recipient. Send the passphrase separately — ideally through a different channel (Signal, phone call, in person). That way if the URL leaks to a bystander, the passphrase doesn't.

5. Revoke when you're done

If you want to kill the link before it expires: Settings → Active share links → Revoke. The link stops working instantly.

FAQ

How strong should the passphrase be?

For anything sensitive, at least 12 random characters or a 4-word Diceware phrase. MoveMyWork rate-limits wrong attempts so brute- forcing is not practical, but passphrases still get guessed by attackers trying common ones first ("password1", "letmein"). A random-word passphrase like correct-horse-battery-staple is easier to remember than random characters and just as hard to guess.

Will the recipient see who shared it?

No. Share pages show the device name (e.g. "Shared from alice-laptop") if you set one, but not your email address or account identifier. If anonymity matters, rename your devices to something generic.

Does the recipient need an account?

No. Share links work for anyone with the URL (and passphrase). The recipient never touches the signup flow.

What if I need to share with many people?

One link works for many recipients — just share the URL. If you'd rather one link per recipient (for audit purposes, or to revoke selectively), create multiple shares of the same clip. The clip stays pinned as long as any active share references it.

Start sharing properly →