Skip to content
SecretPNG

How to Send Passwords Securely

Email and chat keep copies of everything. Learn safer ways to hand someone a password, including one-time secret links and split-channel delivery.

By SecretPNG TeamReviewed by SecretPNG Security TeamPublished 2026-07-14Updated 2026-07-14

Sooner or later everyone needs to give someone else a password: a shared account, the passphrase for an encrypted file, Wi-Fi credentials for a contractor. The instinctive choices, email and chat, are poor fits for the job, not because they are easy to intercept in transit, but because they remember everything.

A password pasted into an email lives on in sent folders, inboxes, server backups, search indexes, and every device that syncs the account, often for years. Secure delivery is mostly about limiting how many durable copies of the secret come into existence.

Why email and chat fall short

Most email still traverses infrastructure where messages are stored unencrypted at rest, and even end-to-end encrypted messengers keep history on every participating device by default. Messages get forwarded, quoted in replies, captured in compliance archives, and included in backups. Once a password enters a conversation thread, you no longer control how many copies exist or who can eventually read them.

If a mailbox is compromised later, an attacker can simply search it for words like 'password'. The exposure window is not the moment of sending; it is the entire retention life of the message.

Split the channels

When you send an encrypted file, never send its password through the same channel. Email the file, then deliver the password by a different route: a phone call, an SMS, a one-time secret link, or in person. An attacker who compromises one channel then holds either the lock or the key, but not both.

For recurring collaboration, a shared password manager vault is a better long-term answer than repeatedly transmitting secrets at all.

A practical checklist

Before you hit send, run through a short mental list.

  • Prefer a one-time or expiring secret link over pasting the password into a message.
  • Send the password and the protected file through two different channels.
  • Set the shortest expiry the recipient can realistically meet.
  • Confirm receipt, then delete your own working copies of the secret.
  • If anything looks off, such as a link consumed before the recipient opened it, rotate the password immediately.

After delivery

Remember that secure delivery ends at the recipient. Once someone views a password, they can copy it, screenshot it, or store it carelessly. Sharing a secret always means trusting the person you share it with, so pair good tooling with clear expectations about how the recipient should store what you send.

Limitations to keep in mind

  • No delivery method controls what happens after the recipient sees the secret; they can always copy, screenshot, or re-share it.
  • One-time links can be consumed by automated link scanners and chat previews before the intended recipient opens them.
  • A secret link is only as trustworthy as the channel you send it through; verify you are sending to the right person before sharing.

Sources