Why the "send password separately" trick is mostly theater, and what real password protection looks like.
Updated May 18, 2026
The classic password-protected file share goes like this: you upload a file, set a password, send the link, then send the password through a separate channel. Common practice. Often security theater.
Here's why, and what real password protection looks like.
On most services, the password is a gate between the share page and the download. The flow:
Step 4 is the problem. The server has the file. The server compares the password. The server can serve the file to itself, or to anyone it wants to, without the password. The password protects against random outsiders who got the URL. It doesn't protect against the service itself, subpoenas, breaches, or staff with database access.
True password protection means the password is part of the decryption. Without it, the file can't be turned into plaintext — by anyone, including the service hosting it.
This is what end-to-end encryption does naturally. The "password" becomes the encryption key. Without that key, the ciphertext is useless.
Zippd generates a random AES-256 key in your browser, encrypts the file, and embeds the key in the URL fragment. The full share URL looks like:
https://zippd.io/d/QlZc6UjzLA56jBFJ7hxoqg#k=Ms5jHb_xWdQTfYK9oWzL4iX-PnAo7c
The part after # is the encryption key. Browsers never transmit the fragment. The recipient's browser reads the key from the URL bar locally and uses it to decrypt.
That's a 256-bit random key — far stronger than any human-typed password. And it's actually doing the work of decryption, not just gating access.
Two reasonable use cases:
For two-channel security, you can split the URL yourself. Send the base URL (before #) on one channel. Send the fragment (the k=... part) on another. The recipient pastes them together to access the file. Same security model, two-channel discipline.
A native "extra password" feature is on the roadmap. For now, the URL split is the practical workaround.
| Type-the-password | URL-fragment key | |
|---|---|---|
| Can the server read your file? | Yes | No |
| Strength | Limited by human memory | 256-bit random |
| Subject to brute force | If weak password | Effectively never |
| Visible in URL bar | No (separate input) | Yes |
| Two-channel possible | Yes | Yes (split the URL) |
Three layers add up:
For high-sensitivity sends: encryption + 1-download cap + 24-hour expiry. That's tighter than most "enterprise" file sharing platforms manage.
| Service | Password type | Server can decrypt? |
|---|---|---|
| Zippd | 256-bit key in URL fragment | No |
| Dropbox Transfer | User-typed password gate | Yes |
| WeTransfer Pro | User-typed password gate | Yes |
| Mega Link | Key in URL fragment (same model) | No |
Not currently in the UI. The random 256-bit key is stronger than any custom password and the only way to maintain zero-knowledge. Custom-password features that work alongside E2EE are on the roadmap.
They get a download page that errors out — no key, no decryption. The ciphertext on storage stays unreadable.
Sort of. You can delete the file (registered users) or wait for expiry. The key itself can't be revoked — it's the file's identity. Deleting the file makes the key useless.
Yes, in HTTPS browser contexts. The fragment is parsed by the browser locally and never transmitted in the HTTP request. Server access logs show only the path, never the fragment.
Upload a file and look at the share URL. The part after #k= is the only thing standing between the recipient and the plaintext.
Short-lived share links with auto-expiry, download caps, and ciphertext that gets deleted...
How Zippd handles big files faster than most paid competitors — and why the browser is eno...
Every file-sharing vendor claims to be secure. Most just mean HTTPS. Here is what the word...
Send up to 20 GB encrypted in your browser. No Dropbox subscription. No account at all.