How to Send Passwords Securely
Email and chat keep copies of everything. Learn safer ways to hand someone a password, including one-time secret links and split-channel delivery.
Sooner or later everyone needs to give someone else a password: a shared account, the passphrase for an encrypted file, Wi-Fi credentials for a contractor. The instinctive choices, email and chat, are poor fits for the job, not because they are easy to intercept in transit, but because they remember everything.
A password pasted into an email lives on in sent folders, inboxes, server backups, search indexes, and every device that syncs the account, often for years. Secure delivery is mostly about limiting how many durable copies of the secret come into existence.
Why email and chat fall short
Most email still traverses infrastructure where messages are stored unencrypted at rest, and even end-to-end encrypted messengers keep history on every participating device by default. Messages get forwarded, quoted in replies, captured in compliance archives, and included in backups. Once a password enters a conversation thread, you no longer control how many copies exist or who can eventually read them.
If a mailbox is compromised later, an attacker can simply search it for words like 'password'. The exposure window is not the moment of sending; it is the entire retention life of the message.
One-time secret links
A better pattern is a link that reveals the secret once and then destroys it. With SecretPNG's secret link tool, the secret is encrypted in your browser using a random 256-bit AES-GCM key before anything is sent. The key is placed only in the URL fragment, the part after the # symbol, which browsers do not transmit to servers. The server stores only ciphertext plus expiry and view rules, so it cannot read the secret it is holding.
Retrieval is atomic: the first successful view consumes a one-time secret, and later attempts get nothing. If the recipient reports the link already used, treat the secret as exposed and rotate it. Be aware that corporate security scanners and chat link previews can consume one-time links before a human ever clicks; if your recipient's environment does that, use a link that allows a small number of views or a short expiry window instead.
Split the channels
When you send an encrypted file, never send its password through the same channel. Email the file, then deliver the password by a different route: a phone call, an SMS, a one-time secret link, or in person. An attacker who compromises one channel then holds either the lock or the key, but not both.
For recurring collaboration, a shared password manager vault is a better long-term answer than repeatedly transmitting secrets at all.
A practical checklist
Before you hit send, run through a short mental list.
- Prefer a one-time or expiring secret link over pasting the password into a message.
- Send the password and the protected file through two different channels.
- Set the shortest expiry the recipient can realistically meet.
- Confirm receipt, then delete your own working copies of the secret.
- If anything looks off, such as a link consumed before the recipient opened it, rotate the password immediately.
After delivery
Remember that secure delivery ends at the recipient. Once someone views a password, they can copy it, screenshot it, or store it carelessly. Sharing a secret always means trusting the person you share it with, so pair good tooling with clear expectations about how the recipient should store what you send.
Limitations to keep in mind
- No delivery method controls what happens after the recipient sees the secret; they can always copy, screenshot, or re-share it.
- One-time links can be consumed by automated link scanners and chat previews before the intended recipient opens them.
- A secret link is only as trustworthy as the channel you send it through; verify you are sending to the right person before sharing.