When someone asks you to “send the password,” the fastest option is often the riskiest: pasting it into an email, Teams message, WhatsApp chat or support ticket. Those systems may keep searchable copies on multiple devices and in long-term archives.
The secure alternative is to send an encrypted secret link and communicate the decryption passkey separately. This guide provides a practical workflow for employees, IT teams, consultants and service providers who need to transfer a credential safely.
Create the protected link first, then deliver the passkey through a different trusted channel.
Create a Secure SecretSending the link and passkey as two consecutive messages in the same compromised account provides little separation. A real separate-channel approach uses communication paths with different access controls—for example, link by corporate email and passkey by a verified phone call.
The objective is not inconvenience. It is to prevent one stolen mailbox, chat session or forwarding rule from delivering every component needed to reveal the secret.
A verified voice call is appropriate for highly privileged credentials. Signal or another approved secure messenger can work when the recipient identity is already established. SMS may be acceptable for lower-risk transfers but has known account-takeover and SIM-swap risks.
Do not send the passkey in the subject line, the same ticket, an attachment next to the link or a calendar invitation visible to multiple participants.
The secret is encrypted with AES-256-GCM, which protects confidentiality and detects unauthorized modification. PBKDF2-HMAC-SHA-256 derives the encryption key from the passkey and a random salt. A unique initialization vector is used for encryption.
The recipient’s browser performs decryption after the correct passkey is entered. The server therefore does not need to process the readable password. The link token can also be represented in storage by its SHA-256 hash rather than the original token.
Organizations can reduce confusion with one clear rule: never place a password directly in email, chat or a ticket. Use the approved encrypted-sharing tool, send the passkey separately and rotate the credential whenever the access is temporary.
The policy should name the approved channels, define maximum expiration times and explain how recipients are verified. A short process that employees can follow is more effective than a complex rule that encourages workarounds.
Send only the encrypted link by email, not the plaintext password. Communicate the decryption passkey through a separate trusted channel.
End-to-end encryption helps in transit, but the password may remain visible and backed up on endpoints. An expiring encrypted secret link provides better lifecycle control.
No. Two messages in the same mailbox are usually exposed together. Separate the encrypted link and passkey across different channels.
Temporary or initial credentials should normally be changed after first use. Privileged credentials should be rotated according to organizational policy.
Use a long random passphrase or generated value that is unique to the secret and is communicated separately from the link.
Protect passwords, files and confidential text with encrypted links, a separate passkey and browser-side decryption.
Start Secure SharingContent reviewed on 14 July 2026. Security requirements should be adapted to your organization’s risk, policy and regulatory obligations.