How to Hide Passwords and Secrets While Screen Sharing
Password managers, 'show password' toggles, .env files, API dashboards and autofill popups all leak secrets on a call. Here's how to fix the browser habits, blur the field in the page, and why you must rotate any secret that ever appeared unblurred.
To hide passwords and secrets while screen sharing, do two things: change the habits that reveal them — don't click 'show password', close your password manager, disable autofill previews — and blur any field that still shows a secret directly in the page before you share. One rule overrides the rest: if a password ever appeared unblurred, even for a single frame, rotate it. Blur prevents future exposure; it can't un-record a leak that already happened.
Secrets leak on calls in mundane ways — an autofill dropdown pops up, a teammate asks you to 'just show it', a .env file is open in the editor tab you're sharing. Below are the places secrets surface, the browser habits that expose them, and how to blur the field itself so a slip never reaches the recording.
Where passwords and secrets surface on screen
- Password managers — 1Password, Bitwarden, LastPass, Chrome's built-in manager: the vault list, and the 'reveal' eye that turns dots into plaintext.
- Login forms with 'show password' — the toggle that swaps the dots for the real string, often clicked by reflex.
- `.env` files and config screens — API keys, DB passwords and connection strings sitting in an editor tab, a hosting dashboard or a settings page.
- API and cloud dashboards — access tokens, webhook secrets and 'reveal key' buttons in Stripe, AWS, GCP and similar.
- Autofill dropdowns — the browser's saved-password popup appearing over a field the moment you click it.
- The address bar and DevTools —
?token=…in a URL, or anAuthorization: Bearer …header sitting in the Network tab.
Fix the browser habits first
Most password leaks on a call are behavioural, not technical. Before you hit 'share screen', run through this do-and-don't list:
- Don't click the 'show password' eye or a 'reveal' button on camera — leave secrets masked.
- Do close your password manager and dismiss its browser popup before you share; open it only when you're not on screen.
- Don't rely on masking dots alone — disable the autofill preview so the saved-password dropdown can't appear mid-demo.
- Do open
.envfiles, config and token pages before the call and blur or close them, rather than navigating to them live. - Don't open the Network tab on camera without blurring it first — request headers spell out bearer tokens in plaintext.
- Do keep the panic hotkey (Ctrl/⌘ ⇧ H) ready for the autofill popup you didn't expect.
Blur the field in the page
For secrets that must stay on screen — a config value you're walking through, a field you can't avoid — blur the element itself so the capture only ever sees a frosted box.
- 1
Start BlurFirst before you share
Open BlurFirst and press Ctrl/⌘ ⇧ Y to start. Do this before you hit 'share screen', not after a secret is already visible.
- 2
Element-blur the password or secret field
Click the password input, the token value or the
.envline to blur exactly that element; click again to reveal when you're off screen. The blur is baked into the page as real pixels, so Zoom, Google Meet, Microsoft Teams, Loom and any recorder capture the blurred version. - 3
Scan for key patterns
Click Scan to auto-detect and blur API keys, tokens and similar secret patterns locally in one pass. It matches patterns, so a hand-typed passphrase in free text may need a manual element blur.
- 4
Keep panic ready for autofill popups
If the browser's saved-password dropdown appears over a field, press Ctrl/⌘ ⇧ H to blur the whole page instantly, dismiss the popup off camera, then carry on.
Passwords in a terminal or native app
BlurFirst covers content inside a browser tab — login forms, web IDEs, cloud dashboards and webmail. It can't blur a native terminal, a desktop password-manager window or another monitor (a desktop app is in development). For a native terminal, avoid printing secrets at all (use masked prompts, or environment variables that aren't echoed), and share a single browser window so the terminal stays out of frame — or simply don't show it.