These three tools answer the same question — "how do I send something sensitive as a link that stops working?" — with three different sets of trade-offs. Here's the honest three-way, plus when none of them is the right answer.
Which of the three should you use?
Use Password Pusher if you're an IT or engineering team that wants view-count caps, deletable links, an API, and a self-host option. Use OneTimeSecret if you want the simplest trustworthy open-source tool for one-off text secrets. Skip Privnote for anything valuable — it's closed source and clone-site phishing against it is widely reported.
Feature-by-feature comparison
| Feature | OneTimeSecret | Privnote | Password Pusher |
|---|---|---|---|
| Open source | Yes | No | Yes |
| Self-hosting | Yes | No | Yes |
| No-signup use | Yes | Yes | Yes |
| Burn-after-read | Yes (single view) | Yes (single view) | Yes — configurable N views |
| Passphrase option | Yes | Yes (password) | Yes |
| Expiry window | Up to 14 days hosted | Days | Configurable, long windows supported |
| Delete/revoke a link | Limited | No | Yes — deletable links |
| File sharing | Limited / paid | No | Yes (file push) |
| API | Yes (basic) | No | Yes — first-class |
| Audit trail | Minimal | No | Limited |
| Team workspaces / RBAC | No | No | Limited |
Details as published July 2026 — all three projects evolve; verify current specifics with each one.
Where does OneTimeSecret win?
Simplicity plus verifiability. It has done one thing well for over a decade, the code is public, and the hosted tier is fine for occasional use. If your entire requirement is "send a text secret once, with an optional passphrase," OneTimeSecret is the least-moving-parts answer. Its limits show up in teams: minimal audit visibility, limited file support, and no workspace concept. (Deeper dive: best OneTimeSecret alternatives.)
Where does Privnote win?
Speed for throwaway notes — no signup, minimal UI, done. But it's the only closed-source tool of the three, so its encryption claims can't be independently checked, and its brand has attracted lookalike phishing clones documented in security reporting. We've written a full assessment in is Privnote safe?. For anything involving credentials or money, choose something else.
Where does Password Pusher win?
Operational features. View-count caps ("burn after 3 views") cover the it-might-get-opened-by-a-scanner case, links are deletable, there's a real API and CLI, a file-push module, and a well-trodden Docker self-host path. For an IT department standardizing on one tool, pwpush is usually the right open-source answer. What it lacks is a tenant model: no per-workspace RBAC or rolled-up audit reporting. (Head-to-head: LinkPilot vs Password Pusher.)
When is none of them the right answer?
When the question isn't "can I send this once?" but "can I prove what happened, and undo it?" — the questions businesses ask after their first mis-sent credential. None of the three offers a per-secret audit timeline, dashboard revocation across a team, role-based access, and delivery notifications in one place.
That's the slice LinkPilot occupies: the same atomic burn-after-read primitive, plus audit timelines, revocation, file attachments, passphrases hashed client-side, team workspaces — and branded short links with analytics in the same product. It's hosted-only and doesn't claim end-to-end encryption (exact model here), so self-host purists should stick with pwpush or PrivateBin. You can try it without an account via the free secret link generator.
The bottom line
- Personal, occasional: OneTimeSecret.
- IT/engineering, self-hosted: Password Pusher.
- Anonymous throwaway notes: Privnote works, but type the domain yourself and keep the stakes low.
- Teams that need audit + revocation: a workspace product like LinkPilot.
Whichever you land on, pair it with the habits from how to send a password securely: short expiry, out-of-band passphrase, rotate on anything suspicious.