5 Common Mistakes People Make When Sharing Passwords Online
James Whitfield
20 May 2026
5 Common Mistakes People Make When Sharing Passwords Online
We’ve all been there. A colleague needs access to a shared account, a family member asks for the Netflix login, or your freelancer needs the credentials to your CMS. What do you do? If you’re like most people, you fire off a quick text message, email, or Slack DM with the username and password in plain text.
It feels harmless — fast, convenient, and easy. But this single habit is one of the biggest security risks most people overlook every day. According to a 2023 report by the Ponemon Institute, over 51% of data breaches involve compromised credentials. And a staggering number of those breaches trace back to one simple problem: passwords shared insecurely.
In this post, we’ll walk through the five most common mistakes people make when sharing passwords online, explain why each one is dangerous, and show you how simple tools — like disposable encrypted notes — can eliminate the risk almost entirely.
Mistake #1: Sending Passwords in Plain Text via Email
Why People Do It
Email feels private. You’re sending a message from your inbox to their inbox — it seems like a sealed envelope. But it’s not. Email is more like a postcard: it passes through multiple servers, can be intercepted in transit, and often sits in inboxes (and trash folders) indefinitely.
Why It’s Dangerous
- Emails are stored in plain text on mail servers, often for years.
- If either your account or the recipient’s account is compromised, the attacker instantly has the password.
- Emails are frequently backed up and archived by corporate IT systems, multiplying the number of places your password lives.
- Forwarding chains can accidentally expose credentials to unintended recipients.
- Slack and Teams messages are searchable by workspace admins and through eDiscovery tools.
- Chat logs are backed up to iCloud, Google Drive, or corporate backup systems — often without encryption at rest.
- Shared devices, screen sharing, and shoulder surfing can expose chat histories.
- Many chat apps retain message history indefinitely by default.
- You use the same password for your project management tool and your personal email.
- You share that password with a contractor via a text message.
- The contractor’s phone is lost or stolen.
- An attacker finds the message, tries the password on common services, and gains access to both your project management tool and your personal email.
- Use a password manager to generate unique, strong passwords for every account.
- When you need to share a credential, share it through a one-time encrypted note, not a persistent message.
- Change the password after the person no longer needs access.
- Former employees are a leading cause of insider-related breaches.
- Shared credentials with no expiration create an ever-growing attack surface.
- You lose the ability to track who accessed what and when.
- Use disposable encrypted notes with automatic expiration. Many services allow you to set a note to self-destruct after a specific time period (e.g., 1 hour, 24 hours) or after a single view.
- Set a calendar reminder to rotate shared passwords after the access window closes.
- Wherever possible, use time-limited access tokens or temporary accounts instead of sharing permanent credentials.
- A single compromised Google account exposes every credential in the document.
- These documents are often shared with broad permissions — sometimes with “anyone with the link can view.”
- There’s no access logging — you can’t tell who viewed the document or when.
- Old, outdated passwords sit alongside current ones, creating confusion and risk.
- These files are frequently indexed by internal search tools, making them easy to find for anyone with access to the workspace.
- Migrate to a team password manager like 1Password for Teams, Bitwarden, or Dashlane Business. These tools are designed for secure credential sharing with access controls, audit logs, and encryption.
- For one-off sharing situations, use a disposable encrypted note — share the credential once, let it self-destruct, and leave no trace.
- Delete any existing password documents and audit who had access to them. Change every password that was stored in those files.
- You write your password (or any sensitive information) in the note.
- The note is encrypted in your browser before it ever reaches the server.
- You receive a unique, one-time link.
- You send that link to the recipient through any channel.
- The recipient opens the link, reads the note, and the note is permanently destroyed.
- Enable two-factor authentication (2FA) on every account that supports it. Even if a password is compromised, 2FA adds a critical second layer of defense.
- Use passphrases instead of passwords. A phrase like `correct-horse-battery-staple` is both easier to remember and harder to crack than `P@ssw0rd!`.
- Audit shared access quarterly. Review who has access to what and revoke anything that’s no longer needed.
- Educate your team. Security is only as strong as the least informed person on your team. Share this post with your colleagues.
- Never share passwords over phone calls or voicemail. These can be recorded, intercepted, or overheard.
Real-world example: In 2020, a major marketing agency suffered a breach after an intern’s email account was phished. The attacker searched the inbox for keywords like “password” and “login” and found credentials to the agency’s social media management platform — shared months earlier in a casual email thread.
What to Do Instead
Never send a password in the body of an email. If you absolutely must use email as a delivery channel, send a link to a disposable encrypted note that self-destructs after it’s been read. This way, even if the email is compromised later, the password is already gone.
Mistake #2: Sharing Credentials Through Chat Apps Without Encryption Awareness
The Illusion of Security
Slack, Microsoft Teams, Discord, WhatsApp, iMessage — we use these apps constantly, and many of them do offer encryption. So what’s the problem?
The problem is persistence. Even in end-to-end encrypted apps, messages are stored on devices, synced across platforms, and often backed up to cloud services. A password you sent in a Slack DM six months ago is still sitting there, searchable, waiting for someone — or some breach — to expose it.
The Specific Risks
What to Do Instead
Use a self-destructing encrypted note and share only the link through your chat app. Once the recipient opens the note, the content is permanently deleted. The chat history will only show a link to a note that no longer exists — rendering it useless to anyone who finds it later.
Mistake #3: Using the Same Password Across Multiple Accounts (and Then Sharing It)
This is a double threat. Password reuse is already one of the most dangerous habits in cybersecurity. When you share a reused password, you’re not just giving someone access to one account — you’re potentially handing them (or any attacker who intercepts the message) the keys to multiple accounts.
The Domino Effect
What to Do Instead
Pro tip: If you’re sharing access to a service that supports it, create a separate user account for the other person instead of sharing your own credentials. This gives you an audit trail and the ability to revoke access without changing your own password.
Mistake #4: Not Setting Expiration or Limits on Shared Credentials
The “I’ll Change It Later” Trap
How many times have you shared a password with the mental note that you’d change it “after the project is done”? Be honest. And how many times did you actually follow through?
Most people don’t. The result is zombie credentials — passwords that were shared temporarily but remain active and exposed indefinitely. This is especially dangerous in professional settings where contractors, freelancers, and former employees may retain access long after their engagement has ended.
Why This Matters
What to Do Instead
Mistake #5: Storing Shared Passwords in Shared Documents or Spreadsheets
The Dreaded “Passwords.xlsx”
It’s more common than you’d think. Teams maintain shared Google Sheets, Notion pages, or even Word documents titled something like `Team Logins` or `Shared Passwords`. These documents become a single point of catastrophic failure.
Why This Is a Nightmare
Alarming stat: A 2022 survey by Keeper Security found that 49% of IT professionals admitted their organizations store shared passwords in spreadsheets or documents.
What to Do Instead
How Disposable Encrypted Notes Solve the Problem
You’ve probably noticed a recurring theme in the solutions above: disposable encrypted notes. Here’s why they’re so effective:
| Feature | Email / Chat | Shared Document | Encrypted Note |
|—|—|—|—|
| End-to-end encryption | Sometimes | Rarely | Always |
| Auto-deletion | No | No | Yes |
| Single-view option | No | No | Yes |
| Searchable after sending | Yes | Yes | No |
| Leaves a persistent trail | Yes | Yes | No |
A disposable encrypted note works like this:
Bonus Tips for Secure Password Sharing
Before we wrap up, here are a few additional best practices to keep your credentials safe:
Conclusion
Sharing passwords is sometimes unavoidable — but sharing them insecurely is always avoidable. The five mistakes we’ve covered — sending credentials in plain text email, using persistent chat messages, sharing reused passwords, neglecting expiration dates, and storing passwords in shared documents — are all incredibly common and incredibly dangerous.
The good news? Every one of these mistakes has a simple fix. By adopting disposable encrypted notes for one-time sharing and a password manager for ongoing credential management, you can eliminate the vast majority of password-sharing risks in minutes.
Security doesn’t have to be complicated. It just has to be intentional.
Take Action Today
Ready to stop putting your passwords at risk? Start using disposable encrypted notes for your next credential share. It takes less than 30 seconds to create a self-destructing note, and it could save you from a devastating breach.
Review your recent emails and chat messages for any passwords shared in plain text. Change those passwords immediately, and commit to sharing credentials securely from now on. Your future self will thank you.
Written by Sarah Johnson — cybersecurity advocate, digital privacy enthusiast, and firm believer that good security habits shouldn’t require a PhD in computer science.