How to safely share passwords

In the course of managing websites for my Peace of Mind Program clients, I need to be able to log into their WordPress dashboards, as well as their web hosting accounts, domain registrars, and assorted other services.

You probably already know that it isn’t a good idea to send someone a password via email (and the same goes for any sensitive information, like credit card numbers and Social Security numbers).

So what do I recommend to my clients when it comes to safely and securely sharing passwords with me?

Method 1: Create a new user account

The safest way to grant someone access to your WordPress dashboard is to create a new user with their email address. For site maintenance (tasks like running backups, managing plugins and themes, and the like), the new user should have admin-level privileges, but you can create a lower-level user (Editor or Author) for people who need to add or edit content but don’t need access to full site-management capabilities.

This approach avoids the security and logistical issues that can arise when sharing one password between two users, and you can delete the account later (or demote the user to non-admin-level access) if the need for access is temporary.

WordPress will automatically take care of emailing your new user, if you check the “Send the new user an email about their account” box during user creation. The user will be prompted to set up a new password, so you don’t need to create or send a new password for them.

A system like this, where a new user account is created that’s separate from yours, is safer than one where account access is shared between two or more people.

The WordPress Dashboard is a good example, but other systems (such as creating new FTP users to access your website files) may allow multiple users as well.

Method 2: Grant account access

If you can’t create a completely new, separate user account, you may be able to create a sub-account with specific access privileges.

Good web hosts are increasingly offering this capability to website owners, because they understand that sometimes a website owner wants to delegate certain maintenance tasks while keeping full control of their websites.

My recommended hosts both offer this service to website owners: DreamHost lets you grant account privileges to others, and Siteground has a feature called Collaborator Access that does the same thing. You, as the website owner, can grant access to me, your website maintainer and troubleshooter, to take care of all your website needs without exposing your billing details or other sensitive account information.

Check with your web host to see if they offer a similar capability!

If there’s no way to create a new user or sub-account, and you must resort to sharing a password with someone (sometimes it’s necessary!), make sure that you share the password in a way that’s as safe as possible.

One rule of thumb is to never send the username and password in the same message.

Another is to use a one-time link (a link that will only work the first time it is clicked), or a link that expires after a specific amount of time.

One service that provides one-time links for free is scrt.link (I used to recommend a service called OneTimeSecret, but I won’t link to them because I no longer recommend them). I’ve used it and it works well.

There are other options (some are listed here, in a blog post by the creators of scrt.link) if this one isn’t to your liking.

Method 4: Use your password manager

Finally, if you use a password manager to save and generate passwords, it may include the ability to send passwords securely to your contacts.

My favorite password manager, 1Password, recently introduced this feature. If you use a password manager (and you should!), it’s worth checking to see if it offers a secure way to send passwords to trusted contacts.

Wrapping it up

Basically, the first step is attempting to avoid sending an already-created password in the first place (by creating a separate login identity as described in Methods 1 and 2), and only then, if that proves impossible, resorting to Method 3 or 4 to minimize the security problems that come with sharing passwords.