Security basics
Emailing a password is one of those habits that feels fine until it is not. It is fast, familiar, and everyone already uses email. But from a security perspective, it is one of the riskiest things you can do with a credential — and the risk does not go away once the email is sent.
When you send an email, a copy lands in your sent folder. Another copy lands in the recipient's inbox. If either party uses a corporate email provider, there is likely a third copy in a compliance archive. Some organisations are legally required to retain email for years. That password you emailed last Tuesday may still be sitting in three or four locations next decade.
Unlike a conversation you have in person, email does not fade. It is text on a server, indefinitely.
Most email providers encrypt data in transit — between your device and their servers, and between their servers and the recipient's provider. But at rest, on the server, email is typically stored in a format that the provider can read. This means the provider's employees, law enforcement with a warrant, and any attacker who gains access to the account or the provider's infrastructure can read your email.
Some providers encrypt email at rest with zero-knowledge architecture, but this is the exception — and it only applies when both parties use the same provider.
Password spray attacks, phishing campaigns, and credential stuffing attacks target email accounts at massive scale. Email is the master key to most people's digital lives — which makes it the highest-value target. When someone's email account is compromised, the attacker typically searches the inbox for anything valuable: passwords, financial information, account recovery links.
An inbox full of credential emails is a jackpot for an attacker. And because email is archived, they do not just get recent passwords — they get everything you have ever sent or received.
Once a password is in someone's inbox, you have lost control of it. You cannot delete it from their mail server. You cannot revoke it from their archive. If that person leaves their job, their inbox may still be accessible to their employer — or may sit on a device that is later lost or stolen.
Consider a common scenario: you manage a website for a client, and when the project ends, you email them their WordPress admin password. A few things are now true:
Two years later, the client's email account is compromised in a phishing attack. The attacker searches for “password” and finds your email. The website — which may now have thousands of users — is fully exposed. You did nothing wrong other than use email. But the outcome is the same.
A one-time secret link encrypts the credential in your browser, stores only ciphertext on a server, and permanently destroys that ciphertext the moment the link is opened. The decryption key is in the URL fragment — which is never sent to the server, never stored, and never logged anywhere.
The recipient opens the link once, sees the credential, and the link is dead. Nothing persists anywhere. This is the most practical replacement for email-based credential sharing. It requires no software installation, no account, and about 30 seconds of setup.
If you are sharing credentials with someone on an ongoing basis — a team member, a long-term client — a password manager with sharing features (1Password, Bitwarden, Dashlane) is worth setting up. Shared vaults give both parties persistent access and let you rotate credentials without re-sending.
The downside is that both parties need to use the same tool, and shared vaults require ongoing management. For one-off handoffs, this is usually overkill.
Signal provides end-to-end encrypted messaging where messages can be set to auto-delete after a time period. This is significantly better than standard email or SMS. The main limitation is that it requires the recipient to use Signal, which is not always the case in professional contexts. For consumer use — sharing a password with a family member, for example — Signal is a reasonable option. For professional use, a one-time link is usually more practical because it works with any communication channel.
A common response to concerns about emailing passwords is: “I'll just change the password once they receive it.” This is better than nothing, but it misses the point.
The risk is not primarily that the recipient will misuse the credential. The risk is that the email containing the old credential will remain in both inboxes indefinitely, and that email may be compromised at any point in the future. Even if the password is changed, the email is still there — and if the attacker is patient, they might use it to understand account patterns, naming conventions, or other information that helps them attack further.
The cleaner solution is to never create the persistent record in the first place.
If you manage a team, here is a simple policy that covers most cases:
This is not a complicated policy. It takes almost no additional time once it becomes habit. And it eliminates the most common source of credential exposure: the email thread.
Email stores everything, forever. Credentials sent over email are never truly gone — they are sitting in archives on servers you do not control, waiting for someone to find them. A one-time encrypted link destroys the credential the moment it is read. It takes 30 seconds to use and leaves nothing behind.
Try the better way
Paste a password, get a one-time link, share it. No account required.
Create a secret link →