Password-Protecting Files: A Practical Guide

Adding a password to a file transfer is a small action with outsized impact — but only if you understand the threat model you are defending against. Most password failures are not cryptographic. They are operational.

What a transfer password actually does

When you set a password on a transfer like SendMe, the server stores only a bcrypt hash of the password. The file itself is stored at a non-guessable storage path. A receiver who has the 6-digit code still cannot retrieve files until they submit the matching password. The hash means even if our database were compromised, your password would not be recoverable in plain text.

Why this is not 'end-to-end encryption'

It is worth being precise. A transfer password is access control on the server, not client-side encryption. The server still touches the file in plaintext during upload and download. If you need true end-to-end encryption — where the server literally cannot read the file — you need a tool that derives the encryption key from the password on your device before upload. That is a different category of tool, and it has its own trade-offs (mostly: lost passwords mean permanently lost files).

Picking a password that works

• →Use four random words, not a single complex word. Length beats character variety.
• →Avoid anything that exists in your password manager — re-use is the enemy.
• →Avoid anything that exists on your social media — favorite movie, dog name, hometown.
• →Make it sayable. You will read it to the recipient by voice if you are doing it right.

Delivering the password

This is the entire game. The password protects the file from anyone who has the code but not the password. So the password must travel through a different channel than the code.

• →Code via SMS → password via voice call.
• →Code via Slack → password via signal.
• →Code via email → password via WhatsApp.
• →Never: code and password in the same message. Defeats the purpose entirely.

Common mistakes

The most common mistake is putting the password in the email subject line of the message that contains the transfer link. Compromise one inbox, get both. The second most common mistake is reusing the same transfer password across multiple recipients — if one of them leaks, all of them are exposed.

The password is not the lock. It is the second lock. Use it like one.

When passwords are overkill

Most casual transfers do not need a password. A funny video to a friend, a receipt to a family member, a meeting photo to a coworker — none of these need a password. The friction of relaying it via a second channel will annoy you more than the marginal security helps. Reserve passwords for files that would actually hurt if leaked.

The mental model

Think of it like a safety deposit box. The code is your appointment. The password is your second key. The expiry is the timer on the room. Used together, they cover most of the practical attack surface for ordinary file transfers.