Why your note URL isn't a secret (and what actually is)
The link to your note is guessable. The password is what keeps it private. Here’s how to think about it.
Your note lives at a URL like www.inkrypt.online/my-secret-note. Anyone who has that URL can request the page. What they get is the encrypted blob—ciphertext, salt, IV. Without the password, they can’t decrypt. So the URL is not a secret; it’s more like a public identifier. The secret is the password.
Implications
Don’t rely on “no one will guess my URL.” If the note is sensitive, use a long, random-looking slug and a strong password. Don’t paste the URL in public places if you care about not advertising that the note exists. And never send the URL and password in the same message to an untrusted channel.
What actually protects you
Encryption with a key derived from your password. So: strong password, unique per note when it matters, and treat the URL as “who can try to open this” and the password as “who can actually read it.”
FAQ: Note URL vs password
Q1. If my note URL is long and random, isn’t that enough?
No. A long URL helps avoid casual guessing, but the real protection comes from encryption with a strong password. Anyone with the URL can request the ciphertext; only the password holder can decrypt it.
Q2. Can someone brute-force my note by guessing URLs?
They can discover that a note exists if they guess the URL, but without the password they still see only ciphertext. That’s why the URL is not treated as a secret, and the password must be strong.
Q3. Is it safe to share the note URL publicly?
Sharing the URL publicly advertises that the note exists and lets anyone attempt to open it. It’s better to treat the URL as semi-public and keep it out of places where you don’t want attention.
Q4. Can I send the URL and password in the same message?
You can, but it’s risky. Anyone with access to that message gains full access. It’s safer to send the URL over one channel and the password over another.
Q5. What should I remember when sharing encrypted notes?
Think of the URL as “who can knock on the door” and the password as the actual key. Protect the password, and don’t bundle it with the link in a single, easily-forwarded message.
Where to go next
To understand how URLs, passwords, and encryption fit together:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
- Try creating and sharing a note in Inkrypt at https://www.inkrypt.online, sending the URL and password over separate channels.