Go to content
cutty.dev
All posts

Password-protected link security — what happens when you click

You can add a password to your short link. We show you what happens behind the scenes without using jargon and explain why it is worth it.

The short link with a password is simple. You enter the password, and someone else must enter it to see where the link leads. Behind the scenes, a bit more is happening. We show what, why, and when this comes in handy.

Why protect links with a password at all

Three contexts in which it makes sense:

Content that you want to show only to specific people. Pricing for premium customers, beta documentation before public announcement, training material for people who have paid for the course. Without a password, someone could find this link in a search engine or get it second-hand.

Content with a short lifespan that you want to close. A special offer for Friday, conference material that should be available only to participants. A password turns a link into controlled access — you are sure that the visitor received the password from you, not from a third party.

Content that you publish publicly but want to control. Your full price list, your internal product process, your customer offer. The link can be shared — but without the password, no one can access it.

What happens when you set a password

You enter the password in the link creation form. The password is encrypted immediately — converted into a string that cannot be read. The fact that the password is "secret123" disappears the moment you click "Save". Even I, as the person running the service, cannot read it.

What is stored in the database: not the password, but a fingerprint (technically a "hash") — a string that matches your password only if someone enters exactly the same one. If someone breaches our database, they will only get these strings — not the passwords to your links.

We use an industry standard used by most login systems on the web. It is free to count intentionally — so that a hacker who stole the database would have to wait millions of years to guess passwords.

What happens when someone clicks your link

  1. The visitor sees a lock screen instead of being redirected directly. A short message "this link is password protected" and a field to enter it.
  2. Enters the password and clicks "Unlock". The password is checked on the server against the stored hash.
  3. If it matches — the visitor receives a session token valid for 24 hours. For the next 24 hours, they can return to this link without entering the password. They don't need to remember it.
  4. If it doesn't match — an error message. After five failed attempts from the same IP address — a five-minute block. Bots won't brute-force their way in.

What we do NOT do

  • We do not log passwords in plain text. Never. Not even in debug logs.
  • We do not send passwords via email. Even if a visitor forgets their password, we cannot remind them—because we don’t know it either. You must send the password again from the account from which you originally received it.
  • We do not send passwords to third parties. No external analytics, marketing, or AI provider has access to this data.

Practical tips

Create passwords that are not obvious. Company name + founding year is a weak idea. A browser password generator does this better.

Do not send the password through the same channel as the link. If you send the link via email, send the password via SMS. Or vice versa. Then, a breach of one communication channel will not grant full access.

You can have multiple links with the same target URL but different passwords. Useful when granting access to different people — you can block one link when that access should end, without affecting others.

The password can be changed without creating a new link. In the panel, "Edit" → enter the new password. All active 24-hour sessions will expire immediately, and every visitor will need to enter the new password.

When a password is NOT enough

The password protects against public indexing and accidental access. It does not protect against someone who knows the password and wants to share it. If your scenario requires "only this one specific person can see this" — you additionally need login, user accounts, and authorization. This is a higher tier of functionality (planned in the upcoming Pro plan).

For 95% of cases, "I don't want a random person to see this" — a password is sufficient.

Try it yourself — when creating a link, select "Advanced Options" → "Add password".