Most people use email for this, but this can be a very insecure way to send information. Even if it arrives without someone gaining access, there are now copies of passwords in your own email and in your client’s ‘sent’ folder.
Spreadsheets are also a terrible option, with passwords being stored in plain text with copies created everywhere that file moves.
These practices also can make insecure password sharing seem normal for your client. So when a malicious person asks for their password in the future, they may give it over without as much thought.
Let’s look at a few ways you can request passwords without as much risk.
The examples will be using Content Snare - which is our software product for collecting information from clients. The same methods can be used via email. As of writing, Content Snare does not have a dedicated system for collecting passwords, but this may change in the future.
Based on where you operate, there may be laws that restrict certain methods or even storage of your clients passwords - so please look into this before you go ahead. These methods of collecting passwords are not legal advice.
1. Don’t collect them
I know, I know. You’ve come to learn how to collect passwords and this guy is telling you not to.
But hear me out.
If you can avoid collecting them at all, this is the best option.
Some examples are asking them to create you as a user on their account. For example if you need a WordPress login, you could send them a video or list of steps on how to add you as a user.
You’ll receive an email with a way to reset your password.
This works for lots of different apps and services, and is the most secure option to get access to client accounts.
Of course there are times when this isn’t possible, or your clients aren’t tech-savvy enough to work it out. Plus there is an argument for making things very simple and easy for your clients.
2. Screen share
Also you could do this process FOR your clients by screen sharing, taking control of their computer and creating the accounts for yourself.
I’ve done this when I needed access to something just once. Instead of dealing with passwords and 2-factor authentication, it’s easier to just get them to log in and then you control their keyboard and mouse remotely to do what needs to be done. Zoom can do this and is free.
3. Analog methods
Before moving on to the techy solutions, I have to mention in-person meetings and phone calls. While there are still risks, these are both better than email.
4. Password managers
When you receive passwords - these should go immediately into your secure password manager like 1Password or Bitwarden. Never store them in spreadsheets or plain text.
However many of these managers can also be used to share passwords. If your client is tech savvy enough, they could create an account, add the passwords and share them with you.
While a more secure option, this is often a bit too much to ask of clients.
5. Content Snare (recommended)
The main benefit here is that you can request passwords at the same time as collecting all the other information you need your client. Think of it like a checklist of things your client needs to provide, with automatic reminders to keep them accountable.
6. One Time Secret
One Time Secret and similar services allow you to enter some information and create a special link to it that can only be accessed once.
In short, you instruct your clients to enter their passwords, type in a passphrase and generate a link. You access that link and put all the passwords in your secure password manager.
Using One Time Secret via email
This is as simple as emailing them with a short explanation on how the process works, with a link to One Time Secret.
You can make it easier by including a small block of text that they can paste in, like this:
WordPress login Url: Username: Password: Web Hosting login Url: Username: Password
Of course you would extend this to as many services as you need. You may also want to encourage them to send one Secret with the usernames and one with passwords. There is a balancing act between security and making things simple for your clients.
Now of course, using a service like this has its own risks. OneTimeSecret clearly works on someone else's server.