scrt.link vs Password Pusher

Password Pusher is a mature, feature-rich tool for teams. It encrypts on the server — which means the server can read your secret.

Password Pusher has been around since 2011, is Apache-2.0 licensed, and is genuinely well built — it has expiry by days and views, audit logs, teams, an API, a CLI and a browser extension. For IT teams it is a serious option.

The architectural difference is encryption. Password Pusher encrypts secrets in its database, with keys the application holds. Their own FAQ concedes that users of the hosted service cannot verify the running code matches the open-source code, and recommends self-hosting for maximum assurance. scrt.link encrypts in your browser: the key lives in the URL fragment and never reaches us, so there is nothing on our side to compromise.

The other practical catch: on the hosted pwpush.com, file sharing is a paid feature. It is free if you self-host.

Feature comparison

Feature scrt.link Password Pusher

End-to-end encrypted in the browser

Decryption key never reaches the server

Open source

Yes (MIT)Yes (Apache-2.0, open core)

Self-hostable

File sharing

Up to 100 GBPaid on pwpush.com, free self-hosted

Expiration

10 minutes – 30 days1 – 90 days

Configurable view limit

Up to 1,000 views1 – 100 views

Password protection

Yes (paid plans)

Audit logs

Yes (Business)Paid plans

One-time redirects

File requests (receive secrets)

Paid plans

REST API

Official CLI

Yes (@scrt-link/cli)

Browser extension

Chrome & FirefoxChrome (beta)

Custom domain / white-label

Yes (Business)Paid plans

Works without an account

Facts about Password Pusher last verified on July 14, 2026. Products change — if something here is out of date, let us know and we'll fix it.

Key differences

Server-side encryption is a different promise

Password Pusher encrypts secrets at rest in its database using keys the application controls. That protects you if someone steals the database — it does not protect you from the application itself, its operators, or an attacker who reaches the running server. scrt.link never receives the key, so the same attacks yield ciphertext.

Their own FAQ makes the point for us

Password Pusher is candid: users of the hosted pwpush.com cannot verify that the code running there matches the published open-source code, and the project recommends self-hosting if you need that assurance. With client-side encryption the question mostly goes away — the code that touches your secret runs in your browser, where you can inspect it.

Where the paywall sits

On the hosted service, file uploads moved behind a paid plan (they remain free in the self-hosted edition), along with branding, audit logs and teams. scrt.link also has paid plans — but end-to-end encryption, one-time links and free file sharing are not among the things you have to pay for.

What Password Pusher does well

Credit where it is due: expiry by both days and views, detailed audit logs, teams with policies, enforced 2FA, 31 languages, a decade of releases. If your threat model is "stop passwords living in Slack" rather than "the provider must not be able to read this", it is a strong, mature product.

Which one should you use?

Choose scrt.link if…

  • You need the provider to be structurally unable to read the secret, not merely trusted.

  • You want file sharing on the hosted service without paying for it.

  • You want expirations shorter than a day, or links that die in 10 minutes.

  • You want to send large files — up to 100 GB — on the same one-time links.

Choose Password Pusher if…

  • You want deep IT-admin features: audit trails, team policies, enforced 2FA, SSO.

  • You are self-hosting anyway, which makes server-side encryption far less of a concern.

  • You need retention up to 90 days.

  • You want a decade-old tool with a very active release cadence and 31 languages.

Frequently asked questions

Got a Question?

Whether you need help choosing a plan, have a technical question, or want to discuss a custom setup — we’re here to help. No bots, no ticket queues. You’ll hear back from a real person.