Security

    OneTimeSecret vs Privnote vs Password Pusher: Which Should You Use?

    A three-way comparison of the most popular secret-sharing tools — encryption, expiry, revocation, self-hosting, and where each one genuinely wins.

    By W. Miller · July 9, 2026 · 4 min read

    These three tools answer the same question — "how do I send something sensitive as a link that stops working?" — with three different sets of trade-offs. Here's the honest three-way, plus when none of them is the right answer.

    Which of the three should you use?

    Use Password Pusher if you're an IT or engineering team that wants view-count caps, deletable links, an API, and a self-host option. Use OneTimeSecret if you want the simplest trustworthy open-source tool for one-off text secrets. Skip Privnote for anything valuable — it's closed source and clone-site phishing against it is widely reported.

    Feature-by-feature comparison

    Feature OneTimeSecret Privnote Password Pusher
    Open source Yes No Yes
    Self-hosting Yes No Yes
    No-signup use Yes Yes Yes
    Burn-after-read Yes (single view) Yes (single view) Yes — configurable N views
    Passphrase option Yes Yes (password) Yes
    Expiry window Up to 14 days hosted Days Configurable, long windows supported
    Delete/revoke a link Limited No Yes — deletable links
    File sharing Limited / paid No Yes (file push)
    API Yes (basic) No Yes — first-class
    Audit trail Minimal No Limited
    Team workspaces / RBAC No No Limited

    Details as published July 2026 — all three projects evolve; verify current specifics with each one.

    Where does OneTimeSecret win?

    Simplicity plus verifiability. It has done one thing well for over a decade, the code is public, and the hosted tier is fine for occasional use. If your entire requirement is "send a text secret once, with an optional passphrase," OneTimeSecret is the least-moving-parts answer. Its limits show up in teams: minimal audit visibility, limited file support, and no workspace concept. (Deeper dive: best OneTimeSecret alternatives.)

    Where does Privnote win?

    Speed for throwaway notes — no signup, minimal UI, done. But it's the only closed-source tool of the three, so its encryption claims can't be independently checked, and its brand has attracted lookalike phishing clones documented in security reporting. We've written a full assessment in is Privnote safe?. For anything involving credentials or money, choose something else.

    Where does Password Pusher win?

    Operational features. View-count caps ("burn after 3 views") cover the it-might-get-opened-by-a-scanner case, links are deletable, there's a real API and CLI, a file-push module, and a well-trodden Docker self-host path. For an IT department standardizing on one tool, pwpush is usually the right open-source answer. What it lacks is a tenant model: no per-workspace RBAC or rolled-up audit reporting. (Head-to-head: LinkPilot vs Password Pusher.)

    When is none of them the right answer?

    When the question isn't "can I send this once?" but "can I prove what happened, and undo it?" — the questions businesses ask after their first mis-sent credential. None of the three offers a per-secret audit timeline, dashboard revocation across a team, role-based access, and delivery notifications in one place.

    That's the slice LinkPilot occupies: the same atomic burn-after-read primitive, plus audit timelines, revocation, file attachments, passphrases hashed client-side, team workspaces — and branded short links with analytics in the same product. It's hosted-only and doesn't claim end-to-end encryption (exact model here), so self-host purists should stick with pwpush or PrivateBin. You can try it without an account via the free secret link generator.

    The bottom line

    • Personal, occasional: OneTimeSecret.
    • IT/engineering, self-hosted: Password Pusher.
    • Anonymous throwaway notes: Privnote works, but type the domain yourself and keep the stakes low.
    • Teams that need audit + revocation: a workspace product like LinkPilot.

    Whichever you land on, pair it with the habits from how to send a password securely: short expiry, out-of-band passphrase, rotate on anything suspicious.

    Tools mentioned in this article

    Frequently asked questions

    Run smarter links with LinkPilot

    Tracking, UTMs, QR codes, AI insights, and white-label reporting — in one workspace. Free to start.

    Create your free account

    Read next