In this article, learn how to share a password securely. Your web developer will need access to your web hosting account and FTP to create your website. You may need to create and send out passwords for other users in your organization. How can you create good passwords and share them securely?
Is it secure to send passwords over email?
No. Email is not a secure way to share passwords. This article from Defending Digital explains more in depth why email and text messaging are not secure systems.
When you send a password in readable text over email, it is stored on your email server. Even if you delete the email, it may go to the trash and not be deleted for some time. If someone hacks into your email, they could find a treasure trove of passwords right in your account. Beyond that, it may be stored on various servers on its way to you, and it may be intercepted on its way to you. If you receive a password by email, particularly if the username and/or the link to the service is included, log in to the service, and change your password immediately.
How can I share a password securely?
There are various services you can use to send a message that will self-destruct after the message viewed, or after a certain amount of time. To ensure you are using this type of method in a secure fashion, be sure to send the password alone, without accompanying information about what the password is for. You can email your developer to let them know you’re going to send them the username and password for a specific service, and then send the information through one of the services listed below.
1ty.me doesn’t require an account. Simply enter the information in the textbox, and click on Generate Link.
Copy the link and email it to your correspondent. Once the link is visited, it is destroyed in the 1ty.me system and cannot be revisited.
Noteshred requires you to sign up for an account, but the service is free. Once you create an account, you can send a note directly from the interface.
Noteshred also shows you your activity – you can see whether a note has been received and read, or shredded.
If someone does find the link to your note hanging out on a server somewhere, by the time they view it, it will look like this:
- ONE TIME SECRET
One Time Secret works in a similar fashion. You enter your secret information, and you set the amount of time the link should be active. Once your recipient views the link, it will no longer be active or viewable by anyone ever again. If you create an account, you can further secure your message with a passphrase. If you’re not comfortable signing up for an account with your real email address, you can even sign up with a temporary one.
Once the secret has been viewed, if anyone else tries to see it, they will not be able to:
- QUICK FORGET
Quick Forget allows you set the secret to be viewed a specific number of times, and to be forgotten after the number of hours you determine. As with the other services, you’ll have a link to send to your recipient:
If the secret has been viewed the allotted number of times, or the time has expired, the secret is gone:
- Another option is to store your passwords in a password manager, and give your web developer technical access to a folder containing only the sites he may need to access. To send the password manager password, use one of the methods above.
Using any of these methods to share a password securely will help protect your accounts.
Other best practices for password and access security
- When possible, add your developer as a technical contact.
This way, your developer can access the services required, but doesn’t have access to your billing area or other sensitive information.
- Use secure passwords.
How-To Geek gives some good password creation tips here. You can also use a password generator, like Password Generator or Secure Password Generator.
- Don’t save your passwords in your browser.
Instead, use a password manager.
- Create a new username and password for each person on your team who requires access to the services.
When a user moves on, you can simply remove his access rather than trying to remember all the passwords he has access to and changing them all.
- Split up the information.
Use one type of communication (phone, text message) to inform your contact that you’ll be sending a password to a specific service. Then use a different channel, like email, to send the link generated by one of the services above.
- Perform periodic access audits.
Remove any users who are no longer with your organization.