How to Password-Protect Any Link for Free
A practical guide to putting a password on any URL for free, how link-level protection actually works, and where it stops.
TL;DR: You can put a password on any URL for free with MiniLy. Create a short link, toggle on password protection, set a password, and share the short link plus the password separately. The destination stays gated behind a page that verifies the password on the server (bcrypt hashed, never in the URL). It blocks casual and accidental access, but it is not end-to-end encryption, so anyone you give the password to can still pass it along.
Sharing a private link used to mean spinning up a login wall, a members area, or a paid tool. For most cases that is overkill. You have a portfolio you only want a few people to see, a working document you are sending to a client, a pre-sale page for a small list, or a link in an internal newsletter that should not float around the open web. What you actually want is one gate: a password in front of a URL. This guide shows how to do that for free, compares the real options, and is clear about where a link password stops protecting you.
What does it mean to password-protect a link?
Password-protecting a link means placing an access check in front of a URL so visitors must enter a shared password before they reach the destination. The link stays short and public, but the content behind it does not open until the password is verified. It is access control on the redirect, not encryption of the destination page itself.
There are two broad approaches. The first is server-side: a service holds a hashed version of your password and shows a password page before redirecting. The second is client-side: the destination URL is encrypted inside the link itself, and the browser decrypts it locally when the correct password is typed. Both are valid. They protect against different things and come with different trade-offs, which the next sections break down.
How to password-protect a link in under a minute
With MiniLy password protection the flow takes well under a minute and works on any short link, on the free plan. Create the link, turn on protection, set a password, and share. The password is hashed on the server with bcrypt, so it never appears in the URL or in browser history.
- Create a short link. Paste your long destination URL (a portfolio, a Google Doc, a pre-sale page) into MiniLy and generate the short link.
- Open the link settings. From your dashboard, open the link and find the password protection option.
- Turn on password protection. Toggle it on and type the password you want visitors to enter. Choose something that is not trivial to guess.
- Save. The link is now gated. Anyone who opens it lands on a password page instead of the destination.
- Share the link and the password separately. Send the short link in your email or message, and deliver the password through a different channel (a second message, a call, or in person). Keeping them apart is what makes the gate worth having.
That is the whole process. There is no separate app to install, no members area to configure, and no upgrade required to use it.
Is password protection really free on MiniLy?
Yes. Password protection is included on the MiniLy Free plan at no extra cost, as listed on the pricing page. The Free plan is 0 EUR, Pro is 5 EUR per month (48 EUR per year), and Enterprise starts at 10 EUR per month plus 2 EUR per seat. You do not need Pro to put a password on a link; the gate itself is a free feature.
What the paid plans add is scale and insight: unlimited links, custom domains, tags, and full link analytics so you can see who is clicking. The security gate on the redirect is free regardless of plan.
Can Bitly password-protect links?
No. Based on Bitly's own pricing page, password protection is not listed as a feature on any tier, including the paid Core, Growth, Premium, and Enterprise plans. Bitly's security features center on account-level controls such as two-factor authentication, SSO, and Domain Guard rather than link-level passwords.
This is a genuine gap for anyone who chose Bitly expecting to gate a link behind a password. If that is your main need, a shortener that treats password protection as a core free feature fits the job better than upgrading a plan that still will not do it.
How does server-side link protection work technically?
Server-side protection stores a hash of your password, not the password itself. MiniLy hashes passwords with bcrypt using 12 salt rounds, so the plain text is never saved and cannot be recovered from the database. When a visitor submits a password, the server compares it against the stored hash and only then issues the redirect.
Two details matter here. First, the password is entered on a dedicated verification page, so it is never embedded in the URL, in browser history, or in server logs of the link itself. Second, repeated wrong guesses are rate limited, which makes brute-force attempts impractical. Bcrypt with a work factor and salting follows current OWASP guidance for password storage, so a database leak would not hand attackers usable passwords.
What are the other ways to put a password on a URL?
Server-side shorteners are one route. The main alternatives are client-side encryption tools and the built-in sharing controls of file and content platforms. Each protects a narrow slice well, so the right pick depends on what you are sharing and whether you need tracking or revocation.
- Link Lock is a free, open-source tool (MIT license) that encrypts the destination URL in the browser using AES-GCM, with keys derived via PBKDF2 and salted SHA-256 at 100,000 iterations. The encrypted URL lives inside the link's fragment, so, per its GitHub project, nothing is stored on a server and there are no cookies, tracking, or signups. The trade-off: no click analytics and no way to revoke a link once it is out, and the resulting link is long rather than short.
- Google Drive and Dropbox let you restrict a file or folder to specific people, but that is account-based permission sharing, not a shareable password on a link, and it only covers files hosted on their platforms.
- Notion, WeTransfer, and similar tools offer link passwords on their paid tiers for content that lives inside those products. They work well for their own pages or transfers but do not gate an arbitrary external URL.
A short URL with a server-side password gate is the general-purpose option: it works on any destination, keeps the link short, and can be paired with analytics. Client-side tools like Link Lock are strongest when you want zero server involvement and true local encryption, and you do not need tracking.
What a link password protects, and what it does not
A password on a link protects against casual and accidental access. It stops a forwarded email from opening your content to everyone in the thread, keeps a shared link out of reach if it is indexed or scraped, and adds a deliberate step so people cannot stumble in. For a private portfolio, a client draft, or a pre-sale page, that is usually the exact level of control you want.
It does not do the following, and pretending otherwise leads to bad decisions:
- It is not end-to-end encryption of the content. Server-side gating protects the redirect. The destination page itself is only as protected as wherever it is hosted.
- Anyone with the password can reshare it. A single shared password has no per-person accounts. If you give it to five people and one forwards it, the gate is open. For tighter control, rotate the password or use accounts.
- It is not a substitute for real access management. For regulated data or anything highly sensitive, use a system with individual logins, per-user revocation, and audit logs.
Why this matters in numbers: IBM's Cost of a Data Breach 2025 report put the global average breach cost at 4.44 million USD, and phishing remained one of the most expensive initial vectors at roughly 4.8 million USD per breach. Varonis found in 2025 that around 87% of organizations have sensitive data accessible to every employee. A link password is a cheap, fast reduction of accidental exposure; it is not a full data-governance program.
When should you use a password-protected link?
Use one whenever you are sharing something with a small, known audience that should not be public, but where a full login system is more than the moment calls for. Private portfolios, client deliverables, working documents, subscriber-only content, pre-sale pages, and internal newsletter links are the classic fits. It is the lightweight middle ground between a fully public link and a gated account.
Reach for stronger controls instead when the audience is large and changing, when you must revoke access per person, or when the data is sensitive enough that a leaked shared password would be a serious incident. In those cases, individual accounts and audit trails are worth the extra setup.
Best practices for sharing a private link
A few habits make link passwords far more effective. They cost nothing and close the most common gaps.
- Split the channels. Send the link one way and the password another. A link plus password in the same email defeats the purpose.
- Use a strong, unique password per link. Do not reuse a password you use elsewhere, and avoid guessable phrases.
- Rotate after the window closes. Once a pre-sale ends or a client engagement wraps, change or remove the password so old shares stop working.
- Do not put anything critical in the URL itself. The point of server-side protection is that the password is never in the link; keep it that way.
FAQ
Is it really free?
Yes. Password protection is included on the MiniLy Free plan at 0 EUR, with no upgrade required to gate a link. Paid plans add unlimited links, custom domains, and analytics, but the password gate itself is free.
Can Bitly password-protect links?
No. Bitly does not list password protection as a feature on any plan, including its paid tiers, based on its published pricing page. Its security features focus on account controls like two-factor authentication and SSO rather than link-level passwords.
What happens if someone shares the password?
Anyone who receives the password can open the link and can pass the password to others. A shared link password has no per-person accounts, so it protects against accidental and casual access, not deliberate resharing. Rotate the password or use individual logins when that risk matters.
Does the password appear in the URL?
No. With MiniLy, the password is entered on a separate verification page and checked on the server against a bcrypt hash. It is never embedded in the short link, so it does not show up in browser history or when the link is forwarded.
Can I still see click analytics on a protected link?
Yes. A password-protected MiniLy link still records clicks, so you can track engagement with link analytics. This is one advantage over purely client-side tools, which typically offer no tracking at all.
Is a link password the same as encryption?
Not for server-side gating. It controls access to the redirect rather than encrypting the destination content. Client-side tools such as Link Lock do encrypt the URL in the browser, but they trade away tracking and the ability to revoke a link once shared.