The Right Way to Share Passwords Securely
Sharing passwords is inevitable in today's connected world. Whether you're onboarding a new team member, granting database access, or temporarily sharing API credentials, the how matters enormously. Most people get it catastrophically wrong. Here's the right way.
The Problem with Traditional Methods
Email: Permanent Record
Email is not private. Your password sits on servers indefinitely, searchable, and vulnerable to breaches for years.
SMS: Intercepted
SMS is unencrypted and easy to intercept. Carriers and networks can read it.
Messaging Apps (Slack, Teams, Discord)
Better than email, but still risky:
- Permanent logs – Everything is archived and searchable by admins
- No privacy – Your company can access all messages
- Not designed for secrets – They're designed for permanent team chat
Shared Documents (Google Drive, Dropbox)
Never, ever put credentials in shared documents. One leaked link = instant access.
The Right Way: Encrypted Sharing
EncodeNote solves this with strong encryption that the server itself cannot read:
- Generate a strong codeword:
ProvisionAccess2026March - Paste your credential into EncodeNote
- Share the codeword via a separate, secure channel (phone call, in-person, encrypted chat)
- Recipient enters the codeword and views the password
- Delete manually when done
Why This Works
- Encrypted End-to-End: We can't read your password even if we wanted to
- No Account Needed: Instant access—no waiting for system admin setup
- Separate Channels: The credential and the access method travel separately
- Temporary by Design: Share only what you need, when you need it
- No Logs: We don't track who accessed what
Best Practices
1. Use Strong Codewords
❌ Bad: password123
✅ Good: TechStack2026ProjectX
✅ Better: BlueMountainSunset2026March17Proposal
Use multiple words, numbers, dates. Make it unique and memorable.
2. Communicate Codewords Separately
If you share the password via EncodeNote link on Slack, don't also paste the codeword on Slack. An attacker intercepting both = instant access.
Share codeword via:
- Phone call
- In-person conversation
- End-to-end encrypted chat (Signal, WhatsApp)
- Secure password manager with shared access
3. Set Expectations & Verify
Tell the recipient: "I'm sending you a temporary credential on EncodeNote. The codeword is [X]. This is temporary—don't rely on it."
Have them confirm receipt and that they've saved/used the credential.
4. Delete After Use
Once the recipient has the credential:
- They copy/save it to their password manager
- You manually delete the EncodeNote vault
Both actions are permanent.
5. Rotate Shared Credentials Regularly
Any shared credential is higher risk. Rotate them monthly or after personnel changes.
Real-World Scenario
Alice needs to give Bob temporary database access:
- Alice creates vault with codeword:
DatabaseAccess2026Bob - Alice pastes into EncodeNote: username, password, host, port
- Alice calls Bob: "I've shared temp DB access. The codeword is DatabaseAccess2026Bob. It's encrypted end-to-end."
- Bob opens EncodeNote on his phone, enters codeword, copies credentials
- Bob pastes into his password manager with expiry date marked
- Alice deletes the EncodeNote vault
- In 30 days, Bob's password manager reminds him to revoke access
Total attack surface: Minimal. The credential never touched email, chat logs, or any other unencrypted storage.
When NOT to Use Temporary Shares
This method is perfect for temporary access. For permanent access, use:
- SSO (Single Sign-On) systems
- Password managers with organizational shares
- Proper identity and access management (IAM)
- Environment variables for API keys (never in code)
Compliance Considerations
If you're in healthcare (HIPAA), finance (SOX), or government sectors, temporary password sharing might be outside compliance. Consult your security team. That said, EncodeNote is more compliant than email, which many organizations still use for credentials (yikes).
Summary
| Method | Encryption | Permanence | Risk |
|---|---|---|---|
| ❌ None | ♾️ Forever | 🔴 Critical | |
| SMS | ❌ None | ⏱️ Varies | 🔴 Critical |
| Slack/Teams | ✅ In transit | ♾️ Forever | 🟠 High |
| Shared Doc | ✅ In transit | ♾️ Forever | 🔴 Critical |
| EncodeNote | ✅ E2E End-to-End | ⏱️ You control | 🟢 Low |
Use EncodeNote for temporary credentials. Use SSO for permanent access. Never email passwords. Stay safe.
EncodeNote is open source. Audit the code. Deploy it yourself. Trust, but verify.