Video call security
Sharing a password in a video call chat feels almost harmless. The call is already happening. The other person is right there on screen. Dropping the credential into the chat window seems like the fastest way to get them what they need. What most people do not realise is that Zoom and Google Meet chat messages are stored after the call ends — sometimes indefinitely, sometimes as part of meeting transcripts and recordings, and often in ways that are accessible to more people than just the two participants on the call.
Chat is saved to Zoom's servers. By default, Zoom saves in-meeting chat messages. Whether they are saved depends on the host's settings and the organisation's Zoom plan, but the default behaviour for many Zoom configurations is to retain chat content.
Chat transcripts are included in meeting recordings. If the host records the meeting — to Zoom Cloud or locally — in-meeting chat messages are included in the recording package. A credential shared in the chat will appear in the transcript file that accompanies the recording. Cloud recordings are stored on Zoom's servers and accessible to the host and, depending on settings, other members of the Zoom account.
Meeting summaries and AI features. Zoom has added AI-powered meeting summary features (Zoom AI Companion) that process meeting content — including chat — to generate summaries, action items, and transcripts. A credential in the chat may be processed by these AI features and included in generated summaries.
In-meeting chat is visible to all participants. If a message is sent to “everyone” rather than a specific individual, it is visible to every participant in the call. In meetings with multiple attendees, a credential sent to the wrong recipient selection is immediately exposed.
Chat messages are retained in Google Chat. In Google Meet, in-call messages are stored in Google Chat (formerly Hangouts). After the meeting ends, the chat thread is accessible via Google Chat. For Google Workspace users, this means the messages are part of the organisation's Google Workspace data — retained under whatever data retention policy the organisation has configured, which defaults to indefinite retention.
Google Vault integration. Google Workspace includes Google Vault, a compliance and archiving tool. Organisations that use Google Vault retain all Google Chat messages, including those from Meet sessions, for compliance purposes. A credential shared in a Meet chat in a Google Workspace environment may be archived in Google Vault indefinitely.
External participants. Google Meet allows external participants — people outside your organisation — to join calls. If a credential is shared in the chat of a meeting with external participants and the message is sent to “everyone,” it is visible to those external users and may be retained in their Google Chat history as well.
False sense of impermanence. The biggest risk is not technical — it is psychological. Video call chat feels live and momentary. The call ends, the window closes, and the credential feels gone. It is not gone.
Recording inclusion. If the meeting is recorded — and in many professional environments, recording is on by default or enabled by the host without the other participant knowing — the credential is now in a video file and an associated transcript.
Multi-participant exposure. On calls with more than two people, a message sent to “everyone” (often the default) exposes the credential to all attendees.
Admin access in enterprise environments. In corporate Zoom and Google Workspace deployments, administrators have access to meeting data including chat history.
The fastest secure alternative during a live call is to generate a one-time encrypted link before or during the call and share that in the chat instead.
This is particularly useful for onboarding new employees during an orientation call, handing over access to a client during a project kickoff, providing server credentials to a contractor on a troubleshooting call, or sharing staging environment access during a review session.
For related reading, see sharing passwords on Slack, Teams, or Discord — the same risks apply to those platforms' built-in call features.
Saying a password out loud on a video call is better than typing it in the chat — at least it is not stored as text. But if the meeting is being recorded, the spoken password is now in an audio and video file. Automated transcription (which both Zoom and Google Meet can produce) will attempt to transcribe it as text. For complex credentials (long API keys, randomly generated passwords), verbal handoff is impractical and error-prone. A one-time link is faster, more accurate, and leaves no record regardless of whether the call is recorded.
It reduces the risk but does not eliminate it. Zoom stores in-meeting chat on its servers regardless of recording status. Google Meet chat is stored in Google Chat regardless of whether the meeting was recorded. Recording adds an additional exposure vector but is not the only one.
Zoom allows you to send a private message to a specific participant rather than everyone in the call. This reduces the in-call visibility risk. But the same server-side storage, recording inclusion, and admin access risks still apply to private messages.
Both platforms store chat data server-side and integrate with broader productivity and compliance ecosystems. Neither is safe for plaintext credential sharing. The differences are in implementation details, not in whether the data persists.
Zoom and Google Meet chat messages are stored after the call ends. In many configurations they are included in recordings, processed by AI features, and accessible to administrators. A credential shared in video call chat is not ephemeral — it is a persistent record. Sharing a one-time encrypted link in the chat instead takes the same number of seconds and ensures the credential is destroyed the moment the recipient opens it.
Try it now
No account required. Generate a link during any call and drop it in the chat.
Create a secret link →