Skip to content
BlurFirst

How to Hide Passwords and Secrets While Screen Sharing

6 min read

Password managers, 'show password' toggles, .env files, API dashboards and autofill popups all leak secrets on a call. Here's how to fix the browser habits, blur the field in the page, and why you must rotate any secret that ever appeared unblurred.

To hide passwords and secrets while screen sharing, do two things: change the habits that reveal them — don't click 'show password', close your password manager, disable autofill previews — and blur any field that still shows a secret directly in the page before you share. One rule overrides the rest: if a password ever appeared unblurred, even for a single frame, rotate it. Blur prevents future exposure; it can't un-record a leak that already happened.

Secrets leak on calls in mundane ways — an autofill dropdown pops up, a teammate asks you to 'just show it', a .env file is open in the editor tab you're sharing. Below are the places secrets surface, the browser habits that expose them, and how to blur the field itself so a slip never reaches the recording.

Where passwords and secrets surface on screen

  • Password managers — 1Password, Bitwarden, LastPass, Chrome's built-in manager: the vault list, and the 'reveal' eye that turns dots into plaintext.
  • Login forms with 'show password' — the toggle that swaps the dots for the real string, often clicked by reflex.
  • `.env` files and config screens — API keys, DB passwords and connection strings sitting in an editor tab, a hosting dashboard or a settings page.
  • API and cloud dashboards — access tokens, webhook secrets and 'reveal key' buttons in Stripe, AWS, GCP and similar.
  • Autofill dropdowns — the browser's saved-password popup appearing over a field the moment you click it.
  • The address bar and DevTools?token=… in a URL, or an Authorization: Bearer … header sitting in the Network tab.

Fix the browser habits first

Most password leaks on a call are behavioural, not technical. Before you hit 'share screen', run through this do-and-don't list:

  • Don't click the 'show password' eye or a 'reveal' button on camera — leave secrets masked.
  • Do close your password manager and dismiss its browser popup before you share; open it only when you're not on screen.
  • Don't rely on masking dots alone — disable the autofill preview so the saved-password dropdown can't appear mid-demo.
  • Do open .env files, config and token pages before the call and blur or close them, rather than navigating to them live.
  • Don't open the Network tab on camera without blurring it first — request headers spell out bearer tokens in plaintext.
  • Do keep the panic hotkey (Ctrl/⌘ ⇧ H) ready for the autofill popup you didn't expect.

Blur the field in the page

For secrets that must stay on screen — a config value you're walking through, a field you can't avoid — blur the element itself so the capture only ever sees a frosted box.

  1. 1

    Start BlurFirst before you share

    Open BlurFirst and press Ctrl/⌘ ⇧ Y to start. Do this before you hit 'share screen', not after a secret is already visible.

  2. 2

    Element-blur the password or secret field

    Click the password input, the token value or the .env line to blur exactly that element; click again to reveal when you're off screen. The blur is baked into the page as real pixels, so Zoom, Google Meet, Microsoft Teams, Loom and any recorder capture the blurred version.

  3. 3

    Scan for key patterns

    Click Scan to auto-detect and blur API keys, tokens and similar secret patterns locally in one pass. It matches patterns, so a hand-typed passphrase in free text may need a manual element blur.

  4. 4

    Keep panic ready for autofill popups

    If the browser's saved-password dropdown appears over a field, press Ctrl/⌘ ⇧ H to blur the whole page instantly, dismiss the popup off camera, then carry on.

Passwords in a terminal or native app

BlurFirst covers content inside a browser tab — login forms, web IDEs, cloud dashboards and webmail. It can't blur a native terminal, a desktop password-manager window or another monitor (a desktop app is in development). For a native terminal, avoid printing secrets at all (use masked prompts, or environment variables that aren't echoed), and share a single browser window so the terminal stays out of frame — or simply don't show it.

Frequently asked questions

How do I stop my password manager popping up during a screen share?

Close the password manager and dismiss its browser popup before you start sharing, and disable the autofill preview in your browser's password settings so the saved-password dropdown can't appear over a field. Keep a panic-blur hotkey ready in case one still shows.

Is it safe to type a password while screen sharing?

Typing is lower-risk than revealing, because the field stays masked, but autofill popups, a show-password toggle or a paste that briefly displays the value can still expose it. Blur the field first, and never click reveal on camera. If it ever showed in plaintext, rotate it.

If I blurred a password, do I still need to change it?

If it was only ever shown blurred, no. If it appeared unblurred in any frame, including a discarded take, rotate it. Blur prevents exposure from that point forward; it can't remove a secret from a frame already recorded.

Can it hide passwords in a native app or terminal?

A browser extension only covers content inside a browser tab, which includes login forms, web IDEs and cloud dashboards. A native terminal or desktop password manager is out of scope; share a single browser window so those stay off screen. A desktop app is in development.

Does Scan detect every kind of secret?

Scan detects common patterns — API keys, tokens, JWTs and private keys, plus emails, phone numbers, cards and SSNs — locally in your browser. It matches patterns, not free-text, so a hand-typed passphrase or an unusual secret format may need a manual element blur.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome