How to Share a Password Securely

Whether you're sharing Wi-Fi credentials with a guest, sending database passwords to a colleague, or giving a client access to their new account, there's a right way and a wrong way to share passwords. Here's a complete guide to doing it securely.

The Wrong Way: Plaintext Channels

The most common mistake is sharing passwords through channels that store data indefinitely:

• Email — Lives in sent/inbox folders forever, backed up on servers, searchable
• Slack/Teams — Message history is retained and searchable by admins
• SMS/iMessage — Stored on devices and carrier systems
• Sticky notes — Physical security risk, easily photographed
• Shared documents — Google Docs and similar tools log access but don't encrypt individual entries

Any channel that retains the password creates a future attack surface. If that channel is ever compromised, every password shared through it is exposed.

The Right Way: Self-Destructing Encrypted Links

The secure approach uses three principles: encrypt the password, limit access to one view, and auto-delete after reading.

Step-by-Step with Only Once Share

1. Go to ooshare.io
2. Enter the password (or any secret text) in the text area
3. Choose an expiration time — pick the shortest practical window (1 hour if the recipient is online now)
4. Click "Create Secret Link" — your browser encrypts the password with AES-256-GCM before sending anything to the server
5. Copy the generated link and send it to the recipient via any channel (email, Slack, SMS — the link itself contains no sensitive data)
6. The recipient opens the link, sees the password, and the data is permanently destroyed

Even though you might send the link via email, the password itself is never in the email. The link is just a pointer to encrypted data that self-destructs after one view.

Why This Approach Works

• No persistent copies — The password is destroyed after viewing
• End-to-end encrypted — The server only handles encrypted data
• Zero knowledge — The encryption key is in the URL fragment, never sent to the server
• Time-limited — Even if never viewed, the data expires automatically
• No account needed — No registration, no friction

Additional Best Practices

Rotate After Sharing

If you're sharing a password for initial setup (like onboarding a new employee), have them change the password immediately after first login. This limits the window of exposure to the shared credential.

Use Different Channels for Context

Send the secret link via one channel and tell the recipient what it's for via another. For example: send the link via Slack, but tell them "check your email for the database password link" — this way, intercepting one channel doesn't reveal what the password is for.

Set the Shortest Practical Expiration

Don't default to 72 hours when the recipient is online right now. Set a 1-hour expiration to minimize the window during which the encrypted data exists on any server.

For Ongoing Shared Access, Use a Password Manager

Self-destructing links are ideal for one-time sharing. For ongoing shared access (like a team service account), use a password manager with shared vault functionality instead. The self-destructing link is for the initial handoff; the password manager is for daily use.

Conclusion

Sharing passwords securely doesn't have to be complicated. Use an encrypted, self-destructing link for one-time sharing, set the shortest practical expiration, and rotate credentials after the initial handoff. It takes 10 seconds and eliminates the risk of passwords sitting in email threads and chat logs indefinitely.