How to safely share credentials with clients

The credential handoff problem

When a project ends, both parties need to exchange access. The client needs their passwords. You need to hand over what you know. The obvious way — sending credentials over email — is also the most dangerous.

Here is what happens when you email a client their passwords:

• —The email is stored on your mail server, your email provider's infrastructure, and the client's inbox — potentially forever.
• —If either party's email account is compromised at any point in the future, every credential you have ever exchanged is now exposed.
• —Many clients use email providers with weak security practices, no two-factor authentication, and shared inboxes accessed by multiple staff members.
• —If the relationship ends badly and becomes a legal dispute, that email thread — with all its credentials — could appear in discovery.

The same applies to Slack, WhatsApp, and any other persistent messaging platform. The credential you send today exists in those logs until someone actively deletes it, which almost never happens.

Why this matters for freelancers specifically

Agencies and freelancers have a particular exposure that in-house teams do not. You work with many different clients, each with different security practices. You send and receive credentials from clients who use Gmail, Outlook, Yahoo, and countless other providers — and you have no control over how they are secured on the other end.

If a client's email is compromised after you handed over their WordPress admin password via email, you may face questions about how you handled that credential. Even if you are not legally liable, it damages trust and your professional reputation.

More practically: your own email inbox becomes a treasure chest of credentials over time. A single successful phishing attack against you could expose dozens of client accounts simultaneously.

What a secure credential handoff looks like

A secure handoff has these properties:

• —The credential is encrypted at every point in the process — including while it is in transit and while it is stored anywhere temporarily.
• —Access is limited to one person, ideally accessible only once so it cannot be retrieved later.
• —No persistent copy exists after the handoff is complete. The credential should not linger in any archive, log, or message history.
• —You have a record that the handoff happened, even if you do not have a record of what was handed off.

One-time encrypted links satisfy all of these. You generate a link, the client opens it once, the credential is destroyed, and the link is dead. There is nothing left to steal from either party's inbox.

Step-by-step: handing credentials to a client

1. 01Generate one link per credential. Do not bundle multiple passwords into one link. If you need to hand over five credentials, create five links. This way, if a link is intercepted or opened by the wrong person, only one credential is exposed — not all of them.
2. 02Send the link over your normal communication channel. Email, Slack, or your project management tool is fine. The link is safe to send over any channel. The secret inside is encrypted, and the decryption key is in the URL fragment — not on the server. Intercepting the link does not expose the password.
3. 03Tell the client to open it promptly. Links expire after 7 days if unopened. If you want to confirm the client received the credential, ask them to acknowledge once they have opened the link. If they say they cannot open it, you will know the link was accessed by someone else.
4. 04Keep a note of what you sent, not the value itself. You do not need to record the actual password anywhere. Just note what was sent: “Sent WordPress admin credentials to [client] on [date] via secure link.” This gives you a handoff record without creating a persistent copy of the credential.

Receiving credentials from clients securely

The same logic applies in reverse. When a client sends you access to their accounts, ask them to use a one-time link instead of typing credentials into an email. Send them the link to cyph3rdrop.com and explain that it is free, requires no sign-up, and ensures the credentials are not left sitting in an email thread.

Most clients appreciate this. It signals that you take security seriously — which is increasingly a differentiator for agencies and freelancers working with businesses that have compliance requirements (GDPR, SOC 2, HIPAA, and so on).

What about password managers?

Password managers with sharing features (like 1Password Teams or Bitwarden) are excellent for ongoing relationships with permanent team members. If a client is going to be working with you for years and you share dozens of credentials, setting up shared vaults makes sense.

But for most client relationships — especially project-based work that ends at handoff — shared password manager vaults are overkill. They require both parties to use the same tool, create persistent shared records, and need to be actively cleaned up when the project ends. One-time links are simpler and leave nothing behind.

Common scenarios

Handing over a completed website to a client

Generate separate links for: the hosting control panel login, the CMS admin credentials, the FTP/SFTP credentials, any third-party service API keys you configured, and the DNS provider login if you managed it. Send each link individually with a clear label in the accompanying message — not in the link itself.

Receiving social media or ad account credentials mid-project

Ask the client to generate a one-time link for any credentials they need to share with you. Include a short note in your onboarding process explaining how to use the tool. This takes about 30 seconds and protects both of you.

End-of-project credential reset

Before you hand over a completed project, have the client reset all passwords and then share the new ones via one-time links. This ensures there are no old credentials sitting anywhere — not in your inbox, not in your notes, not in theirs.

The professional case for secure credential handling

Clients increasingly ask about security practices before hiring. Agencies that can say “we never transmit credentials in plaintext” are differentiating themselves from competitors who are still emailing passwords around.

Beyond the competitive angle, handling credentials carelessly is a liability. As data protection regulations tighten globally, demonstrating that you took reasonable steps to protect client data — including using encrypted, ephemeral handoff methods — is worth more than the minute or two it takes to generate a secure link.