Okay, having read that, I agree -- you absolutely don't have to worry about password theft. At least, not after the fact of a conversation having already happened.
However, what I was suggesting, is that instead of using a group password:
- create a random password for each user that is invited
- as part of the 'login' process (or room join process, depending on how your code is structured), check to make sure that token exists in the database
- as soon as somebody uses that random password, delete it (or mark it inactive)
This means that for each token, there can be exactly one login. That login should belong to who you sent the email to, and nobody else. It's just as anonymous as your method, and slightly (wee bit) more secure.
This also solves the problem of people sending the password to their friends, though obviously cannot plug the analog hole of allowing their friends to look at their screen.
