TL;DR
Never send passwords or other sensitive credentials directly via email, chat, or unencrypted methods. Use a password manager with secure sharing features, temporary access tokens, or a dedicated secrets management tool. Prioritise least privilege and regularly rotate credentials.
1. Understand the Risks
Sending credentials (usernames, passwords, API keys) insecurely is a major cyber security risk. Here’s why:
- Interception: Emails and messages can be intercepted.
- Storage: They may be stored on servers you don’t control.
- Human Error: Accidental forwarding or sharing with the wrong person.
- Compromise: Accounts are vulnerable if credentials fall into the wrong hands.
2. Password Managers with Secure Sharing
Password managers like 1Password, LastPass, and Bitwarden offer secure sharing features. This is often the easiest solution for small teams.
- How it works: You store credentials in the password manager vault and grant limited access to specific team members.
- Benefits: Encrypted storage, audit logs, easy credential rotation.
- Example (1Password): Create a folder for client access, add the username/password as an item, then share that item with the relevant user(s). You can set permissions like ‘view only’ or ‘edit’.
3. Temporary Access Tokens
Instead of long-lived credentials, use temporary tokens that expire automatically.
- How it works: Generate a token with a limited lifespan (e.g., 1 hour) for specific access.
- Benefits: Reduced risk if the token is compromised.
- Implementation: This requires your application or service to support token generation. Many APIs now offer this functionality. For example, OAuth 2.0 provides a standard way to create tokens.
4. Secrets Management Tools
For larger teams and more complex applications, consider dedicated secrets management tools like HashiCorp Vault or AWS Secrets Manager.
- How it works: Centralised storage of credentials with fine-grained access control, encryption, and audit logging.
- Benefits: Enhanced security, scalability, automation.
- Example (AWS Secrets Manager):
aws secretsmanager create-secret --name my-client-credentials --description "Credentials for accessing client service" --secret-string '{"username":"clientuser","password":"securePassword123"}' - Note: These tools have a steeper learning curve.
5. Least Privilege Principle
Always grant clients only the minimum level of access they need to perform their tasks.
- Example: If a client only needs read-only access to data, don’t give them write permissions.
6. Regular Credential Rotation
Change credentials periodically (e.g., every 90 days) even if there’s no known compromise.
- Automation: Use password managers or scripts to automate the rotation process.
7. Avoid These Methods
- Email: Never send credentials in plain text email.
- Chat Applications (Slack, Teams): Not secure enough for sensitive information.
- Text Messages: Unencrypted and easily intercepted.
- Spreadsheets: Easily accessible and lack proper security controls.