Most people use email for this, but this can be a very insecure way to send information. Even if it arrives without someone gaining access, there are now copies of passwords in your own email and in your client’s ‘sent’ folder.
Spreadsheets are also a terrible option, with passwords being stored in plain text with copies created everywhere that file moves.
These practices also can make insecure password sharing seem normal for your client. So when a malicious person asks for their password in the future, they may give it over without as much thought.
Let’s look at a few ways you can request passwords without as much risk.
Note: Based on where you operate, there may be laws that restrict certain methods or even storage of your clients passwords - so please look into this before you go ahead. These methods of collecting passwords are not legal advice.
1. Don’t collect them
I know, I know. You’ve come to learn how to collect passwords and this guy is telling you not to.
But hear me out.
If you can avoid collecting them at all, this is the best option.
Some examples are asking them to create you as a user on their account. For example if you need a WordPress login, you could send them a video or list of steps on how to add you as a user.
You’ll receive an email with a way to reset your password.
This works for lots of different apps and services, and is the most secure option to get access to client accounts.
Of course there are times when this isn’t possible, or your clients aren’t tech-savvy enough to work it out. Plus there is an argument for making things very simple and easy for your clients.
2. Screen share
Also you could do this process FOR your clients by screen sharing, taking control of their computer and creating the accounts for yourself.
I’ve done this when I needed access to something just once. Instead of dealing with passwords and 2-factor authentication, it’s easier to just get them to log in and then you control their keyboard and mouse remotely to do what needs to be done.
Zoom and Microsoft Teams can do this and are free. This is particularly useful when working with less tech-savvy clients or dealing with one-time access needs.
3. Analog methods
Before moving on to the techy solutions, I have to mention in-person meetings and phone calls. While there are still risks, these are both better than email.
Related: How secure is email? Hint: not secure enough
However, these methods are not ideal for compliance-heavy industries, like accounting or legal services, where documentation of access logs is often required.
4. Password managers
Source: 1Password
When you receive passwords - these should go immediately into your secure password manager like 1Password or Bitwarden. Never store them in spreadsheets or plain text.
According to cybersecurity statistics, using a password manager can reduce credential-related breaches by up to 60%. If your client is tech savvy enough, they could create an account, add the passwords and share them with you.
While a more secure option, this is often a bit too much to ask of clients.
5. Content Snare (recommended)
Clients use Content Snare to collect just about any kind of information from anyone. It’s a trusted document and credentials collection platform used by businesses worldwide, including accountants, marketers, law firms, and many others.
The confidential fields feature allows you to keep confidential information, like passwords, extra secure.
The main benefit here is that you can request passwords at the same time as collecting all the other information you need your client. Think of it like a checklist of things your client needs to provide, with automatic reminders to keep them accountable.
Besides that, Content Snare introduces multiple security mechanisms to protect your work:
- Encryption
- 2-factor authentication
- PIN codes
- Throttling
The best part is that Content Snare safeguards client credentials while improving your workflow efficiency. In fact, businesses using Content Snare report a 67% reduction in stalled projects and a 9x ROI on document collection time.
If you’re ready to experience a platform that puts security first, start your 14-day trial and see how Content Snare makes your client comms effortless.
6. Onetime Secret
Onetime Secret and similar services allow you to enter some information and create a special link to it that can only be accessed once.
In short, you instruct your clients to enter their passwords, type in a passphrase and generate a link. You access that link and put all the passwords in your secure password manager.
Using Onetime Secret via email
This is as simple as emailing them with a short explanation on how the process works, with a link to Onetime Secret.
You can make it easier by including a small block of text that they can paste in, like this:
WordPress login Url: Username: Password: Web Hosting login Url: Username: Password
Of course you would extend this to as many services as you need. You may also want to encourage them to send one Secret with the usernames and one with passwords. There is a balancing act between security and making things simple for your clients.
Now of course, using a service like this has its own risks. Onetime Secret clearly works on someone else's server.
The source code to Onetime Secret is available so you could spin up your own if you’re technical enough. There are similar ones like pwx as well.