How to securely send a username and password?
Nicolas,
Sending a username and password by email, SMS or instant messaging is one of the riskiest practices in digital security. These channels are generally not end-to-end encrypted, and messages can remain accessible in histories for years. In 2026, several simple and accessible methods allow credentials to be transmitted in a truly secure way.
Why not send a password by email or SMS?
Standard email is not end-to-end encrypted: the content is readable by intermediate mail servers and can be intercepted in transit. SMS is even more vulnerable — it travels in plain text over telephone networks and can be intercepted via an SS7 attack or IMSI-catcher.
Furthermore, a password sent by message remains in both parties' conversation history indefinitely. In the event of a messaging account being compromised — which happens far more often than people think — all credentials transmitted via that channel are exposed.
Method 1: one-time link sharing tools
This is the simplest and most recommended method for individuals and professionals alike. These tools generate a unique link that can only be opened once — after opening, the content is automatically destroyed.
The most widely used services in 2026:
- One Time Secret: open source, free service that allows sharing an encrypted message via a single-use link with a configurable expiry time
- Password Pusher: specialised in password sharing, open source, self-hostable, configurable (number of views, expiry)
- Yopass: client-side encryption, unique link with expiry, available as a self-hosted version
The process is identical for all: you enter the password in the interface, the service generates an encrypted unique link which you send to the recipient. The recipient opens the link, reads the password, and the link immediately becomes invalid.
Good to know: always separate the username from the password when transmitting credentials. Send the username (or service name) via a standard channel (email, message), and transmit only the password via the one-time link. That way, even if the link is intercepted, it cannot be exploited without knowing which account it is associated with.
Method 2: a password manager with built-in sharing
Modern password managers offer built-in secure sharing features, ideal for professional or team use.
- Bitwarden: allows sharing credentials with other Bitwarden users via shared collections — end-to-end encryption, open source
- 1Password: vault sharing with team members, permission controls (read-only, edit)
- Dashlane: credential sharing with or without revealing the password in plain text to the recipient
These solutions are particularly suited to shared corporate access — access can be revoked at any time without the recipient having ever seen the password in plain text.
Method 3: end-to-end encrypted messaging
If you do not have access to a dedicated tool, end-to-end encrypted messaging remains an acceptable option — provided you use the right tools and delete the message immediately after the recipient has received it.
- Signal: end-to-end encryption by default, configurable ephemeral messages, available on iOS, Android and desktop
- WhatsApp: E2E encryption based on the Signal protocol, acceptable for occasional use
- ProtonMail: end-to-end encrypted emails between ProtonMail users, or via secure link for external recipients
Good to know: even on Signal, avoid leaving a password in the conversation history. Enable ephemeral messages (the "Timer" feature) on the relevant conversation and ask the recipient to confirm receipt before the message disappears.
Method 4: verbal or physical sharing
For the most sensitive credentials, verbal transmission remains the safest method. A phone call, video conference or in-person handover leaves zero digital trace — provided the recipient stores the credentials directly in a secure password manager rather than on a sticky note or in a text file.
What you should never do
| Practice to avoid | Risk |
|---|---|
| Standard email (Gmail, Outlook…) | No E2E encryption, remains in histories |
| SMS | Travels in plain text, interception possible, permanent history |
| Slack, Teams, Discord (no E2E encryption) | Readable by the operator, logs stored server-side |
| Shared text file or spreadsheet | No access control, can be copied indefinitely |
| Unsecured sticky note or paper | Physically accessible by anyone |
| Same password for multiple services | One compromise exposes all accounts |
Good to know: regardless of the channel used, change the shared password as soon as possible after the recipient has saved it in their password manager. A temporary password transmitted for first access should always be replaced by a personal password generated by the recipient themselves — this is the only way to ensure you no longer have access to the other party's sensitive information.