Encryption is only as strong as the words you choose.
BareSend doesn’t give you a key — you create it. The words you type in the “encryption key” box become the foundation of your security.
Behind the scenes, that passphrase is transformed into a 256-bit encryption key using a Key Derivation Function — like PBKDF2 or scrypt. It stretches your password into a proper cryptographic shape.
But here’s the thing: if your passphrase is weak, no amount of mathematical magic can save you.
Say you choose the password !Summer2024!. Looks kind of secure, right? Capital letter, numbers, symbol... textbook stuff.
Not really. It’s in every password list out there. Anyone brute forcing common passwords would crack it in seconds.
That means: even though your message is encrypted with AES-256, an attacker who gets the encrypted blob can guess your passphrase offline until it works. No server needed. No rate limits. No witnesses.
Because we designed something better: ephemerality as a security layer.
That means the window for brute force is razor thin. You’d have to intercept the message and guess the passphrase before the recipient opens it. Good luck.
(For example: a passphrase like rooftop-blanket-mountain-oven-squid has over 2.8 quintillion combinations. Even with modern hardware, brute-forcing it would take tens of thousands — or even billions — of years, depending on how many guesses per second the attacker can make. Translation: you’re safe.)
You don’t need to be a cryptographer — just don’t make it easy. Your passphrase is your fortress. So don’t build it out of paper.