Is WhatsApp or Facebook Messenger secret conversation a reasonable method for transferring passwords?

Both Facebook Messenger (using secret conversations) and WhatsApp implement end-to-end encryption, which means that when you send a message your text is encrypted on your computer and decrypted on the destination computer. The text of your messages is not visible to anyone in between unless they break the encryption, which for practical purposes is not going to happen (unless you happen to be the subject of a national security investigation, in which case you've got bigger problems than sharing your Netflix password with the wonks at the NSA).

However, beware that end-to-end encryption only protects the communication channel itself. It does not protect you from threats such as:

  • Malware, such as keyloggers or screen grabbers that have been installed on your machine or the destination machine
  • Friends/family who decide to re-share or change your password without your permission
  • Netflix, who monitors these things and will see that your account is being used in multiple geographic places and thus probably being shared against their terms of service. Netflix has plans that allow multiple streams among family members, so this in itself is not an actionable issue unless your password is somehow shared widely.
  • Law enforcement, if you happen to live in an area that has criminalized password sharing
  • As pointed out by daniel in the comments, Facebook (who owns both Facebook Messenger and WhatsApp) might accidentally provide weak security or be complicit in breaking user security (e.g. in order to assist a law enforcement investigation). As proprietary applications (not open source) neither of these softwares have been vetted by outside security researchers, so Facebook might have a poor implementation or they might be copying/inspecting your data at either the source or destination device. Additionally, since these applications create and control the encryption keys used to implement the end-to-end encryption, you must assume that Facebook can break the encryption if they so desire (or anyone they would give the keys to, e.g. law enforcement).
  • Another excellent point from Gert van den Berg in the comments: some messaging apps will automatically back up to the cloud. The security around cloud storage is not nearly as strong as the end-to-end encryption used in the communications channel. See, for example, the Fappening attacks for more info as to how the cloud represents a threat to data privacy. (Even for supposedly deleted data!)

"Acceptable" is relative to what level of risk you want to accept.

Personally, I think WhatsApp is suitable for this. As it has good end to end encryption. But I would also think Facebook is fine only because it's a Netflix password and not your bank.

As I say. It's down to you and your risk appetite. Personally, I would be more than happy using WhatsApp with my family.


In the case of a Netflix password, passing the password over FB Messenger or WhatsApp will be secure enough. The data, while in transit will be encrypted using modern encryption technologies. Keep in mind though that the password will be visible within both your's and the recipient's inbox- in plain text. This may introduce a risk if the recipient's Messenger/WhatsApp account is compromised (or your own account).

Hypothetically, if you are sending messages with confidential information related to, let's say, national security- then I would recommend not sending this sensitive data across these types of messaging platforms. The reality is that the "powers" that may have the ability to obtain your chat logs from these messaging services would only do so if the information they were seeking was highly valuable.