Security wise, the form should do a Post and the URL should not contain the password in clear text ever, for 2 reason.
Browser history
Password is saved in clear text in the browser history.
2 User (Code 18)
If the user give the url from the address bar instead of the url in the form.
(eg: I do sometimes that by mistake with Onetimesecret.com ), you end up giving the actual password in clear text and it will never burn.
Using Onetimesecret as a reference,
The form is a Post
The return url is an ID unrelated to the secret.
There's a button click to view & burn the secret from the #2 location (So that even if you give the private url away, the password is burnt as soon as it is viewed anyway.
Security wise, the form should do a Post and the URL should not contain the password in clear text ever, for 2 reason.
2 User (Code 18) If the user give the url from the address bar instead of the url in the form. (eg: I do sometimes that by mistake with Onetimesecret.com ), you end up giving the actual password in clear text and it will never burn.
Using Onetimesecret as a reference,