Security

Lock the link, not the conversation.

Sometimes a short link needs to travel through email, threads and screenshots before it reaches the right person. Password protection makes sure only the right person gets through, and the rest hit a polite wall.

Try it free See how it works
Available on All plans
At rest Bcrypt · cost 12
Rotation Anytime · instant
Edit link
pcol.ink/q3-report
Password
enabled
Password
•••••••••••• Generate
min 4 chars · hashed on save
Hint (optional)
The conference room from last Tuesday.
Remember on device 7 days
pcol.ink/q3-report
Password required
The sender will have sent this
to you separately.
hint · conference room, last Tuesday
TLS 1.3
hashed · bcrypt
How it works

Three steps. No setup, no SDK, no extra page to build.

Toggle it on inside the link editor. Picolink hashes the password, drops in a branded unlock page, and hands the visitor through to your destination once they're in.

1
~ 6 seconds
Set a password
bafe-tomi-keru
generated · pronounceable
generator

Set a password, or have us generate one.

Type your own, or hit Generate for a short, pronounceable code like bafe-tomi-keru, built from random bytes in your browser. Minimum four characters, hashed the moment you save.

2
share normally
pcol.ink/q3-report copy
EMAIL
CHAT
SMS
tuesday-room-42 PW
share password separately

Share the link openly. Pass the password privately.

Send the short URL anywhere: Slack, email, a deck, a print ad. Send the password through a private channel the way you already trust.

3
visitor unlocks
Unlocked, redirecting
•••••••••••••••
Continue
remembered 7d

One try, then onward to the real destination.

Once they're in, the device remembers them for as long as you allow. Wrong password? They get a soft retry, then a cool-down. Never a brute-force door.

Under the hood

Built like a vault. Opens with a tap.

A simple password field hides a lot. Here is exactly what is happening on our side, and what isn't.

01

Bcrypt at rest, never in plaintext.

The instant you save, your password is hashed with bcrypt at cost factor 12 and dropped. Even with full database access we can't tell you what it was. We just verify what visitors type.

YOU TYPE tuesday-room-42
STORED $2b$12$NaCl9vK…uW3z
02

Rotate anytime. Old unlocks die instantly.

Forwarded to the wrong room? Change the password and every existing "remember me" cookie is invalidated on the next click. No waiting, no hunting people down.

tuesday-room-42 revoked
friday-window-09 active
03

Remember-me window, per link.

Configurable on every single link.

Always re-prompt
1 hour
24 hours
7 days
30 days
04

Brute-force, blocked.

10 failed tries inside fifteen minutes trip a fifteen-minute cool-down, scoped to one IP on one link, so a noisy attacker can't lock out real visitors. No captcha noise, no telling attackers when they got close.

00:00:04try 1
00:00:11try 2
00:01:38try 3 … 9
00:02:02try 10
⛔ cool-down15:00
05

Optional hint, on your terms.

Add a private nudge for legitimate viewers without ever showing the answer.

HINT
"The conference room from last Tuesday."
06

Nothing leaks to analytics.

Attempts, hints and unlock cookies stay in the auth path. Your analytics dashboard only sees clean, post-unlock clicks.

raw password
hint text
remember-me token
referrer · device · country
Why teams turn it on

Four very different reasons. Same little toggle.

Customers tell us they use password protection for the boring "we don't want this Googled" moments, but also for the fun ones. A sampler:

Client deliverables before sign-off.

Send the proposal short link to a client. Share the password by phone. No accidental forwards to procurement.

Internal docs that escape the wiki.

Compensation bands, post-mortems, all-hands recordings. Same easy short URL, only readable by people you actually told.

Private beta access codes.

One short URL, one rotating password. Hand it out in your launch email. Rotate it the day the public beta opens.

Easter eggs and surprise drops.

Hide a teaser behind a password mentioned at a meetup. Watch your analytics for the moment it leaks, then rotate.

The fine print

Specs, in plain numbers.

Hash bcrypt cost 12 Industry standard, with an adaptive work factor, deliberately slow to verify, so guessing at scale never pays off.
Minimum 4 chars No practical ceiling, though bcrypt keys off the first 72 bytes. The generator makes a memorable one for you.
Cool-down 15 min After 10 failed tries from one IP on a single link. Honest visitors never hit it.
Remember 0–30 days Per-link setting. Set to zero if you want a fresh prompt on every visit.

Add a password to any link in about six seconds.

Available on every plan, including the free one. No add-on, no upsell, just a toggle in the link editor.

Create a protected link View pricing
EXPLORE MORE
Every Picolink feature
FEATURES
How we compare
COMPARE