Blog

How to Share Passwords & Sensitive Information Securely

We all constantly need to share sensitive pieces of information — Wi-Fi passwords for guests, login details for a contractor, an access code for a new starter. And most people do it the worst possible way: email or chat, where those details sit exposed indefinitely, searchable by anyone who ever gets into that inbox.

Why email and chat are the wrong place

An emailed password doesn't disappear when the recipient reads it. It lives in their inbox, your sent folder, both providers' servers and every device that syncs those accounts — forever. One compromised account years from now can expose everything ever shared with it. Chat apps are only marginally better.

Use self-destructing notes

The right tool for one-off secrets is an ephemeral sharing service: you paste the secret, it generates a one-time link, and the moment the recipient views it, the secret is permanently destroyed. If the link is intercepted later, there's nothing left to steal. Reputable options include One-Time Secret and PrivateBin instances. Good ones offer an optional passphrase and an expiry time even if never opened.

Ideal for: temporary passwords, guest Wi-Fi details, one-time codes and PINs, and anything that should be read once and forgotten.

Use a password manager for anything ongoing

Self-destructing notes are for handovers. For credentials people need continuously — shared team logins, the accounts package, the company socials — use a password manager with proper sharing (Bitwarden, 1Password). Everyone gets access through their own vault, you can revoke it when someone leaves, and nobody ever needs to see the actual password.

Three habits that cover most of it

  • Never put a password and the thing it unlocks in the same message. If you must split-channel, send the username by email and the password by a one-time link.
  • Treat anything sent in plain text as public. If it's already been emailed, change it.
  • Rotate what you hand over. Give contractors temporary credentials and revoke them when the job's done — better yet, give them their own account.

Getting this right takes ten minutes of setup and saves the very bad afternoon that follows a leaked credential. If you'd like help setting up a password manager for your team — or proper joiner/leaver processes so access never outlives employment — that's exactly what I do.

Need a hand with this?

This is literally my job.

If this post describes a problem you have, I can fix it for you — usually faster than reading another blog post.

Get in touch