Skip to content

← All writing

How to Share a Password Securely at Work (No Special Tools)

· by Andergrove Software

Dropping a password into Slack or email feels harmless, but it leaves the secret sitting in chat history, search indexes, inboxes and backups, often for years and visible to more people than you think. You do not need a paid password manager to do better. The core trick is simple: split the secret across two channels, and where you can, send it as a short-lived encrypted blob instead of plain text.

Here are the patterns that actually work, roughly in order of how much they help, plus the mistakes that quietly undo them. The Andergrove AES text encryption tool can do the encrypt-then-send step entirely in your browser.

Why plaintext in chat or email is risky

A password pasted into a message does not vanish when the other person reads it. It persists:

  • It is searchable and permanent. Slack, Teams and email keep history; anyone who later gains access to that account or channel can find it.
  • It spreads. Messages get forwarded, quoted, screenshotted, and synced to phones and laptops.
  • It widens the blast radius. If that mailbox or workspace is ever breached, every credential ever pasted into it leaks at once.
  • It outlives the need. The shared password is usually never rotated, so the copy in chat stays valid indefinitely.

The goal is to make the secret hard to find later and useless if the channel is compromised.

The two-channel rule

The simplest big win: never send the secret and the means to read it through the same place. Send the protected secret over one channel and the key to unlock it over a different one. For example, share an encrypted blob by email and tell the person the passphrase over Signal or in person. Now a breach of either channel alone reveals nothing useful. It is the same idea behind two-factor authentication: two independent factors are far stronger than one.

Encrypt, then send

Better than splitting plain text is to encrypt the secret first:

  1. Encrypt the password with a passphrase using AES. The Andergrove AES tool does this in your browser, so the plaintext never leaves your device.
  2. Send the resulting ciphertext over your normal channel (email, ticket, chat).
  3. Share the passphrase over a different channel (a call, Signal, in person).

The recipient pastes the ciphertext and the passphrase into the same tool to decrypt. Even if the ciphertext leaks, it is meaningless without the passphrase, and the passphrase travelled separately.

One caution: encrypting is not the same as encoding. Base64 looks scrambled but has no key and protects nothing, so do not mistake it for security (see Base64 isn't encryption).

Make it short-lived

A shared secret should not live forever:

  • Rotate it right after handover. If you are sharing access to an account, change the password once the other person has set up their own access or saved it to their manager.
  • Prefer a real vault or SSO when one exists. If your team has a shared password manager, single sign-on, or a built-in "share" feature, use it: those are designed to grant and revoke access without copying secrets around. The no-tools methods here are for when you genuinely have nothing better to hand.
  • Generate a fresh, strong secret to share rather than reusing an existing one. A long random password (from the password generator) limits the damage if the share goes wrong, and resists cracking if the channel is later breached (see how long it takes to crack a password).

What never to do

  • Do not commit secrets to git. Even once deleted they live in the history forever; treat any committed secret as compromised and rotate it.
  • Do not paste secrets into tickets, wikis or shared docs. Those are searchable, widely accessible, and they persist.
  • Do not reuse a password so you can "share the one everyone knows." Shared, reused passwords are impossible to revoke per person and turn one leak into many.
  • Do not rely on "delete after reading" alone. Deletion is best-effort and does not undo forwarding, backups or screenshots.

The short version

If you remember nothing else: split the secret and its key across two channels, encrypt it when you can, rotate it afterward, and move to a proper shared vault as soon as one is available. You can encrypt a secret to share right now with the AES text encryption tool, entirely in your browser.